ENTERPRISE RISK MANAGEMENT:
AN INTRODUCTION
Participant Guide
About This Course
About This Course
Enterprise Risk Management
Welcome
Welcome and thank you for participating in “Enterprise Risk Management.”
www.theiia.org/training
-2-
About This Course
Seminar Description
This course is intended to give participants an opportunity to learn about the COSO ERM
framework and benchmark their ERM activities against the framework.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2009
-3-
About This Course
Seminar Objectives
By the end of this seminar, you should be able to:
•
Improve your understanding of Enterprise Risk Management (ERM).
•
Broaden your risk assessment perspective to cover all significant internal and external
business risks.
•
Benchmark, or reinvent, your risk management tools and practices.
•
Understand the new COSO ERM Framework.
•
Gain an understanding of current issues, challenges, and emerging practices regarding
risk management, control, and governance processes.
www.theiia.org/training
-4-
About This Course
Seminar Topics
We will review the following topics in this seminar:
•
What ERM Is and Is Not
•
ERM Essentials
•
Internal Environment
•
Risk Identification and Assessment
•
Risk Responses
•
Risk Monitoring
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2009
-5-
About This Course
Participant Introductions
Resources
Introduce yourself to your team members, using the following guide:
•
Name and Job Title
•
Organization
•
ERM Status
•
1= Planning
•
3 = Roll Out
•
5 = Done
•
0 = None or N/A
•
Your current or desired role in ERM
•
The Icebreaker Question!
www.theiia.org/training
-6-
About This Course
Working Agreement
Much of the success of this course depends on creating an effective learning environment and
process. To create this environment and process, we need a working agreement.
Our agreement follows the acronym PROCESS.
We agree to:
P = Participation – This seminar is highly participatory. By agreeing to actively participate in
discussions and exercises, participants will get the greatest benefit from the program.
R = Respect – There will be times when we will agree to disagree on the significance of issues,
possible solutions, and best practices. We agree to show respect by actively listening to other
viewpoints and not forcing our views on other participants.
O = Openness – We will share our experiences and provide constructive feedback. By
agreeing to such openness, participants can expand their perspectives and build their skills.
C = Confidentiality – Confidential matters should not be discussed outside of class. Be aware
that information of this kind may have consequences for others.
E = Enthusiasm – Be enthusiastic about this learning experience!
S = Sensitivity – Participants should be sensitive to the feelings and perspectives of others.
S = Sense of fun – This seminar should be an enjoyable experience for the participants and
the leader. If we approach the discussions, exercises, and other learning tools in the right frame
of mind, we will not only have fun but will also learn more.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2009
-7-
About This Course
Participant Expectations, Ideas, and Insights
As you go through the seminar, record ideas and insights for your own use and to share with
others.
www.theiia.org/training
-8-
What ERM Is and Is Not
What ERM Is and Is Not
Introduction
Overview
There has been a considerable amount of published (and presented) information on risk
management. This information has come from several different sources with a variety of
perspectives on what risk management is and is not. The ERM pioneers have developed
innovative implementation strategies and risk management processes. In other words, ERM is
not a one-size-fits-all proposition.
The primary purposes of this unit are to:
•
Create the foundation and explore the COSO-based road map that will be used to
deliver this seminar.
•
Give you an opportunity to discuss ERM implementation issues such as strategies,
roles, and responsibilities.
Objectives
By the end of this unit, you should be able to:
•
Describe the frameworks and other components associated with the background of
Enterprise Risk Management (ERM).
•
Identify the components of the COSO ERM Executive Summary.
•
Identify what has changed in the COSO Framework.
•
Identify an Enterprise Risk Management implementation strategy.
•
Identify the internal auditor’s role in Enterprise Risk Management (ERM).
Resources
Readings and Resources
•
Reading 2-1: ERM Benchmarking Survey (November 2008 GAIN Flash Survey)
•
Exhibit 2-1: The Role of Internal Auditing in Enterprise-wide Risk Management (The
IIA Position Paper)
www.theiia.org/training
-2-
What ERM Is and Is Not
Enterprise Risk Management (ERM) Overview
Enterprise Risk Management Discussion
•
How long have organizations had formal risk management activities?
•
How many individuals/functions currently have risk management in their titles?
•
When (and why) was enterprise added to risk management?
•
What are some of the differences between internal audit risk assessment and ERM?
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
-3-
What ERM Is and Is Not
Enterprise Risk Management Status
2008 GAIN ERM Benchmarking Survey
Demographics: Questions 45-47
Drivers: Questions 4-5
www.theiia.org/training
-4-
What ERM Is and Is Not
COSO ERM Executive Summary
COSO Project Overview
COSO ERM Framework Background:
•
Concluded there was a need for a recognized framework despite the abundance of
literature on the subject.
•
Believes that all organizations can benefit from improved risk identification and risk
analysis procedures.
•
Recognizes that many organizations are engaged in some aspects of risk management.
•
Believes that this study will help identify all of the aspects that should be present and
how they can be coordinated.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
-5-
What ERM Is and Is Not
COSO Project Deliverables
Framework Volume
•
Defines ERM
•
Describes principles and concepts
•
Provides direction for all levels of management to use in evaluating and enhancing the
effectiveness of ERM
Application Guidance Volume
•
Provides illustrations of useful techniques in applying elements of the framework
www.theiia.org/training
-6-
What ERM Is and Is Not
Enterprise Risk Management Definitions
COSO
Enterprise risk management is a process, effected by an entity’s board of directors,
management, and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be within
its risk appetite, to provide reasonable assurance regarding the achievement of entity
objectives.
IIA Research Report
A rigorous and coordinated approach to assessing and responding to all risks that affect the
achievement of an organization’s strategic and financial objectives. This includes both upside
and downside risks.
Core Concepts
•
Ongoing process and rigorous approach
•
Effected by people everyone has a role
•
Enterprise-wide and coordinated approach
•
Applied in strategy setting
•
Manage events with risk appetite v. respond to upside and downside risks
•
One or more separate but overlapping categories of objectives v. strategic and financial
objectives
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
-7-
What ERM Is and Is Not
Enterprise Risk Management Premises
ERM enables management to effectively deal with uncertainty and associated risk and
opportunity, enhancing the capacity to build value.
ERM encompasses:
•
Aligning risk appetite and strategy.
•
Enhancing risk response decisions.
•
Reducing operational surprises and losses.
•
Identifying and managing cross-enterprise risks.
•
Seizing opportunities.
•
Improving deployment of capital.
www.theiia.org/training
-8-
What ERM Is and Is Not
COSO Framework
What Is Different
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
-9-
What ERM Is and Is Not
Roles and Responsibilities
CEO
•
Ultimately responsible
Other Managers
•
Support the entity’s ERM philosophy
•
Promote compliance with its risk appetite
•
Manage risks in their areas of responsibility
Board of Directors
•
Oversight
•
Aware of and concur with entity’s risk appetite
Risk Officer, Financial Officer, Internal Auditor
•
Key support responsibilities Other Personnel
•
Comply with directives and protocols
External Parties (e.g., customers, regulators)
•
Provide useful information, but not responsible for ERM effectiveness, nor are part of
the entity’s ERM
www.theiia.org/training
- 10 -
What ERM Is and Is Not
ERM Limitations
•
Risk relates to the future, which is inherently uncertain.
•
ERM operates at different levels with respect to different objectives (strategic v.
operations v. reporting or compliance).
•
ERM cannot provide absolute assurance (e.g., judgment, breakdowns, override,
collusion, and cost v. benefit).
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 11 -
What ERM Is and Is Not
Enterprise Risk Management Effectiveness
ERM effectiveness is a judgment based on:
•
An assessment of whether the eight components are present and functioning
effectively.
•
Present/functioning requires no material weaknesses and risks have been brought
within the entity’s risk appetite.
www.theiia.org/training
- 12 -
What ERM Is and Is Not
How to Use the Report
Board of Directors
•
Discuss the status of the entity’s ERM and provide oversight as needed.
•
Ensure that they are apprised of the entity’s most significant risks and actions.
Senior Management
•
Assess the entity’s ERM capabilities and determine if there is a need for a broader,
more in-depth evaluation.
Other Personnel
•
Managers and other personnel
•
Internal Auditors
Other External Parties
•
Regulators
•
Professional organizations
•
Educators
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 13 -
What ERM Is and Is Not
What’s Next
www.theiia.org/training
- 14 -
What ERM Is and Is Not
Enterprise Risk Management Implementation
Implementation Overview
2008 GAIN ERM Benchmarking Survey
Implementation: Questions 8-11
Benefits: Questions 6-7
Barriers: Questions 12-13
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 15 -
What ERM Is and Is Not
Activity: Organizational Benefits and Barriers
Activity
Your Organization’s Benefits and Barriers
Instructions
Consider all of the benefits and barriers that we have covered, and identify your top three
items in the space provided below.
Benefits
__________________________________________
__________________________________________
__________________________________________
Barriers
__________________________________________
__________________________________________
__________________________________________
www.theiia.org/training
- 16 -
What ERM Is and Is Not
Implementations Options and Decisions
Many organizations have elected to target, or focus, on their most significant risk factors, for
example, strategic risks or an industry-specific risk such as credit quality or compliance in
banking. Other organizations have attempted to complete a comprehensive inventory of all of
their risk factors.
•
Scope: targeted risks or all risks
•
Models: risk factors or processes
•
Champions: subject matter experts and entity-level executives
•
Owners: process/unit-level managers
•
Initial Approach: pilots or full rollout
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 17 -
What ERM Is and Is Not
Implementation Success Factors
•
Strong, visible support from senior management and/or the board of directors
•
Dedicated cross-functional group to drive the implementation and continue to push it
in its operational phase
•
Closely linking ERM to key strategic/financial objectives and to the business planning
process
•
Introducing ERM as an enhancement to well-accepted processes — not a stand alone
process
•
Import ideas from the outside
•
Proceed incrementally and leverage “early wins”
www.theiia.org/training
- 18 -
What ERM Is and Is Not
Internal Audit’s Role(s) in Enterprise Risk
Management
Overview
Internal Audit’s Role When ERM Does Not Exist
•
Bring this to management’s attention along with suggestions for establishing such a
process
•
If requested, play a proactive role in assisting with the initial establishment of a risk
management process for the organization
Internal Audit’s Role Continuum
•
No role
•
Auditing the risk management process
•
Active, continuous support and involvement
•
Managing and coordinating the risk management process
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 19 -
What ERM Is and Is Not
IIA Position Paper
Core Internal Audit roles in regard to ERM:
•
Giving assurance on risk management processes
•
Giving assurance that risks are correctly evaluated
•
Evaluating risk management processes
•
Evaluating the reporting of key risks
•
Reviewing the management of key risks
Roles Internal Audit should NOT undertake:
•
Setting the risk appetite
•
Imposing risk management processes
•
Management assurance on risks
•
Making decisions on risk responses
•
Implementing risk responses on management's behalf
•
Accountability for risk management
Legitimate Internal Audit roles with safeguards:
•
Facilitating identification and evaluation of risks
•
Coaching management in responding to risks
•
Coordinating ERM activities
•
Consolidating the reporting on risks
•
Maintaining and developing the ERM framework
•
Championing establishment of ERM
•
Developing risk management strategy for board approval
www.theiia.org/training
- 20 -
What ERM Is and Is Not
Activity: ERM Implementation
Activity
ERM Implementation Scenario #1
Background Information
The enterprise is a diversified financial service organization. The organization has several
product lines and offers a wide variety of financial services. It has over 7,000 employees in
its operating units and branch locations.
They are implementing ERM for strategic and competitive reasons; they want to raise their
risk tolerance through better insights into risk/return trade-offs. Up to this point, they
have been a risk averse organization. In the near future, they plan on moving from mutual
to public ownership.
Based on their internal assessment, they currently have a fragmented approach to risk
management among business units and specialized functions. There also is some resistance
to ERM related to resource availability.
Questions
Who will be on your ERM implementation team and what will their roles be?
What will your team’s initial ERM deliverable(s) be — an inherent risk profile, a residual
risk profile, or something else?
What are some of your team’s key activities in the first phase of ERM implementation?
Who will manage/coordinate the ERM process when it is fully operational?
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 21 -
What ERM Is and Is Not
ERM Implementation Scenario #2
Background Information
The enterprise is a large, closely held electric utility. The organization has 15 business units
that carry out similar production and distribution activities. The organization also has
several centralized activities (e.g., research, marketing, purchasing, internal audit, financial
reporting, etc.).
They are implementing ERM because the board is aware of their governance
responsibilities and has a desire to maintain shareholder value. International markets are
emerging with new risks (e.g., deregulation, increased competition, etc.).
After an internal study, the organization decided to create an ERM department.
Questions
What are some of the pros and cons related to creating an ERM department?
What will your department’s initial ERM deliverable(s) be — an inherent risk profile, a
residual risk profile, or something else?
What are some of your department’s key activities in the first phase of ERM
implementation?
When the ERM process is fully operational, what will the role of the ERM department be,
how large will the staff be, and how will they coordinate activities with the business units?
www.theiia.org/training
- 22 -
What ERM Is and Is Not
ERM Implementation Scenario #3
Background Information
The enterprise is an international mass merchandiser. The organization has several
distribution channels. The organization is made up of several core business processes (e.g.,
people, procurement, operations, logistics, information systems, etc.) and numerous
operating locations and units.
Their ERM implementation is motivated by rapid growth and global expansion. They want
to manage business risks in a more proactive, formalized way.
Based on their internal assessment, they have several strengths that will be useful in ERM
implementation. The strengths include their culture and beliefs (set your egos aside and
have an open-minded approach to dealing with change), and clear business visions/
missions and corresponding objectives.
Questions
Who will be on your ERM implementation team and what will their roles be?
Which ERM framework or model would you use — vertical/risk category, horizontal/
process, or other?
What are some of your team’s key activities in the first phase of ERM implementation?
How will you create buy in with various management groups?
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 23 -
What ERM Is and Is Not
Reading: GAIN ERM Benchmarking Survey
Please turn to the appendix for the reading: GAIN ERM Benchmarking Survey.
www.theiia.org/training
- 24 -
What ERM Is and Is Not
Unit Conclusion
Summary
You have completed the lesson “What ERM Is and Is Not.” Here are some key points:
•
ERM tends to be found among larger organizations. Our challenge is to develop a
practical ERM process that matches our organization’s needs and adds value.
•
There are many different definitions of enterprise risk management. Most of these
definitions agree on the core concepts, but differ on form or style. In many
organizations, legacy or traditional risk management activities have created some
confusion. For example, some people have mistaken property or casualty insurance
risk management for ERM. The ERM executive summary has premises and benefits
that can be used to sell ERM to management and directors. There is also a risk related
to overselling ERM, so we must explore its limitations.
•
One of the best ways to see what is different is to compare the COSO Internal Control
Framework cube to the new COSO ERM Framework cube. The two COSO
frameworks reinforce the concept that risk and control is everybody’s business.
•
The new COSO Framework offers several ERM benefits. Many organizations have
elected to target, or focus, on their most significant risk factors, e.g., strategic risks or
an industry-specific risk such as credit quality or compliance in banking. Other
organizations have attempted to complete a comprehensive inventory of all of their
risk factors.
•
Determining what the internal auditor’s role should be in ERM depends on many
factors, such as the organization and the auditor’s skill sets. Two Practice Advisories
and an IIA Position Paper offer guidance on this issue. When ERM does not exist, it
should be brought to management’s attention along with suggestions for establishing
such a process. If requested, internal auditors should play a proactive role in assisting
with the initial establishment of a risk management process for the organization.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 25 -
What ERM Is and Is Not
Participant Expectations, Ideas, and Insights
Record actions you can take in your organization to implement the topics discussed in this unit.
www.theiia.org/training
- 26 -
September 29, 2004
The Role of Internal Auditing in Enterprise-wide
Risk Management
In conjunction with the newly released Committee of Sponsoring Organizations of
the Treadway Commission (COSO) Enterprise Risk Management - Integrated
Framework, The Institute of Internal Auditors (IIA), in coordination with its IIAUK and Ireland affiliate, has issued a position paper on The Role of Internal Audit
in Enterprise-wide Risk Management. The paper's purpose is to assist chief audit
executives (CAEs) in responding to enterprise risk management (ERM) issues in
their organizations. The paper suggests ways for internal auditors to maintain the
objectivity and independence required by The IIA's International Standards for the
Professional Practice of Internal Auditing (Standards) when providing assurance
and consulting services.
Internal auditing's core role with regard to ERM is to provide objective assurance to
the board on the effectiveness of an organization's ERM activities to help ensure key
business risks are being managed appropriately and that the system of internal control
is operating effectively
Recommended Roles
The main factors CAEs should take into account when determining internal auditing's
role are whether the activity raises any threats to the internal auditors' independence and
objectivity, and whether it is likely to improve the organization's risk management, control, and governance processes. The IIA's position paper indicates which roles internal
auditing should and should not play throughout the ERM process.
Core internal auditing roles in regard to ERM.
•
•
•
•
•
Giving assurance on risk management processes.
Giving assurance that risks are correctly evaluated.
Evaluating risk management processes.
Evaluating the reporting of key risks.
Reviewing the management of key risks.
Legitimate internal auditing roles with safeguards.
Global Headquarters
247 Maitland Avenue
Altamonte Springs, FL
32701-4201 USA
Tel: +1-407-937-1100
Fax: +1-407-937-1101
www.theiia.org
•
•
•
•
•
•
•
Facilitating identification and evaluation of risks.
Coaching management in responding to risks.
Coordinating ERM activities.
Consolidating the reporting on risks.
Maintaining and developing the ERM framework.
Championing establishment of ERM.
Developing risk management strategy for board approval.
September 29, 2004
Page 2
Roles internal auditing should NOT undertake.
•
•
•
•
•
•
Setting the risk appetite.
Imposing risk management processes.
Management assurance on risks.
Taking decisions on risk responses.
Implementing risk responses on management's behalf.
Accountability for risk management.
The Institute emphasizes that organizations should fully understand that management remains
responsible for risk management. Internal auditors should provide advice, and challenge or
support management's decisions on risk, as opposed to making risk management decisions.
The nature of internal auditing's responsibilities should be documented in the audit charter and
approved by the audit committee.
Finally, The Role of Internal Audit in Enterprise-wide Risk Management is attached.
Established in 1941, The IIA serves approximately 95,000 members in internal auditing,
governance, internal control, IT audit, education, and security worldwide. The Institute is the
recognized authority, principal educator, and acknowledged leader in certification, research,
and technological guidance for the profession worldwide.
Position
Statement
The Institute of Internal Auditors
The Role of Internal Audit in
Enterprise-wide Risk Management
Introduction
Over the last few years, the importance to strong corporate governance
of managing risk has been increasingly acknowledged. Organisations
are under pressure to identify all the business risks they face; social,
ethical and environmental as well as financial and operational, and to
explain how they manage them to an acceptable level. Meanwhile, the
use of enterprise-wide risk management frameworks has expanded, as
organisations recognise their advantages over less coordinated
approaches to risk management.
Internal audit, in both its assurance and its consulting roles, contributes to
the management of risk in a variety of ways. In 2002 The Institute of Internal
Auditors – UK and Ireland issued a position statement on The Role of
Internal Audit in Risk Management to provide guidance to members on the
roles that were permissible and the safeguards needed to protect internal
audit’s independence and objectivity. This new revised position statement
supersedes the earlier one and takes account of recent developments from
around the world in the field of risk management and in internal audit.
What is Enterprise-wide Risk Management?
People undertake risk management activities to identify, assess,
manage, and control all kinds of events or situations. These can range
from single projects or narrowly defined types of risk, e.g. market risk, to
the threats and opportunities facing the organisation as a whole. The
principles presented in this position statement can be used to guide the
involvement of internal audit in all forms of risk management but we are
particularly interested in enterprise-wide risk management because this
is likely to improve an organisation’s governance processes.
Enterprise-wide risk management (ERM) is a structured, consistent
and continuous process across the whole organisation for identifying,
assessing, deciding on responses to and reporting on opportunities and
threats that affect the achievement of its objectives.
Responsibility for ERM
The board has overall responsibility for ensuring that risks are managed.
In practice, the board will delegate the operation of the risk
management framework to the management team, who will be
responsible for completing the activities below. There may be a separate
function that co-ordinates and project-manages these activities and
brings to bear specialist skills and knowledge.
Everyone in the organisation plays a role in ensuring successful
enterprise-wide risk management but the primary responsibility for
identifying risks and managing them lies with management.
Benefits of ERM
ER M can make a major contribution towards helping an organisation
manage the risks to achieving its objectives. The benefits include:
Greater likelihood of achieving those objectives;
Consolidated reporting of disparate risks at board level;
Improved understanding of the key risks and their wider implications;
Identification and sharing of cross business risks;
Greater management focus on the issues that really matter;
Fewer surprises or crises;
More focus internally on doing the right things in the right way;
Increased likelihood of change initiatives being achieved;
Capability to take on greater risk for greater reward and
More informed risk-taking and decision-making.
The activities included in ERM
Articulating and communicating the objectives of the organisation;
Determining the risk appetite of the organisation;
Establishing an appropriate internal environment, including a risk
management framework;
Identifying potential threats to the achievement of the objectives;
Assessing the risk i.e. the impact and likelihood of the
threat occurring;
Selecting and implementing responses to the risks;
Undertaking control and other response activities;
Communicating information on risks in a consistent manner at all
levels in the organisation;
Centrally monitoring and coordinating the risk management
processes and the outcomes, and
Providing assurance on the effectiveness with which risks
are managed.
Position statement:
The Role of Internal Audit in Enterprise-wide Risk Management
Providing assurance on ERM
The role of internal audit in ERM
One of the key requirements of the board or its equivalent is to gain
assurance that risk management processes are working effectively and
that key risks are being managed to an acceptable level.
Internal auditing is an independent, objective assurance and consulting
activity. Its core role with regard to ERM is to provide objective
assurance to the board on the effectiveness of risk management.
Indeed, research has shown that board directors and internal auditors
agree that the two most important ways that internal audit provides
value to the organisation are in providing objective assurance that the
major business risks are being managed appropriately and providing
assurance that the risk management and internal control framework is
operating effectively1.
It is likely that assurance will come from different sources. Of these,
assurance from management is fundamental. This should be
complemented by the provision of objective assurance, for which
internal audit is a key source. Other sources include external audit and
independent specialist reviews. Internal audit will normally provide
assurances on three areas:
R isk management processes, both their design and how well they
are working;
Management of those risks classified as ‘key’, including the
effectiveness of the controls and other responses to them; and
Reliable and appropriate assessment of risks and reporting of risk
and control status.
Figure 1 presents a range of ERM activities and indicates which roles an
effective professional internal audit function should and, equally
importantly, should not undertake. The key factors to take into account
when determining internal audit’s role are whether the activity raises
any threats to the internal audit function’s independence and objectivity
and whether it is likely to improve the organisation’s risk management,
control and governance processes.
Core internal audit roles
in regard to ERM
Cham
pioni
ng es
De
velo
t ablis
hmen
pin
t of E
gR
RM
Ms
trat
egy
for
boa
Im
rd a
po
S
ppr
sin
ett
ova
i
g
ng
l
ri s
the
k
m
ri s
an
ka
ag
pp
em
eti
te
en
tp
ro
ce
ss
es
developing the
ERM
M aint aining &
ng on risks
n&
t io
ca
m
an
ag
em
he
en
rep
to
ort
fk
Eva
i
ng
lua
ey
ting
of
ris
ke
risk
ks
yr
ma
i
s
nag
ks
em
ent
pro
Givin
ces
g ass
uranc
ses
e tha
t risk
s are
corre
ctly e
valua
ted
Giving assuran
ce on the risk m
anagement pro
cesses
eporti
Consolidated r
fi
nti
de
th
e
in
ent
em
nag
ma
i
ng
ati
Ev
alu
ati
ng
t
ies
sks
ctivit
o ri
t
RM a
ing
ting E
ks
rdina
ond
p
ri s
Co- o
res
of
on
ati
alu
ev
ng
chi
Coa
it
cil
Fa
Re
vie
wi
ng
framework
Figure 1 – Internal audit role in ERM
M
t
en
em
g
a
an
ks
ris
n
eo
nc
a
r
su
as
n
so
sion
i
c
de
ses
pon
s
e
r
risk
alf
's beh
ment
e
g
a
man
es on
pons
s
e
r
sk
ing ri
ment
e
l
ement
p
Im
for risk manag
Account ability
ing
Tak
Legitimate internal audit
roles with safeguards
Roles internal audit
should not undertake
Position statement:
The Role of Internal Audit in Enterprise-wide Risk Management
The activities on the left of Figure 1 are all assurance activities. They
form part of the wider objective of giving assurance on risk
management. An internal audit function complying with the International
Standards for the Professional Practice of Internal Auditing can and
should perform at least some of these activities.
Internal audit may provide consulting services that improve an
organisation’s governance, risk management, and control processes.
The extent of internal audit’s consulting in ERM will depend on the
other resources, internal and external, available to the board and on the
risk maturity2 of the organisation and it is likely to vary over time.
Internal audit’s expertise in considering risks, in understanding the
connections between risks and governance and in facilitation mean that
it is well qualified to act as champion and even project manager for
ER M, especially in the early stages of its introduction. As the
organisation’s risk maturity increases and risk management becomes
more embedded in the operations of the business, internal audit’s role
in championing ERM may reduce. Similarly, if an organisation employs
the services of a risk management specialist or function, internal audit is
more likely to give value by concentrating on its assurance role, than by
undertaking the more consulting activities. However, if internal audit has
not yet adopted the risk-based approach represented by the assurance
activities on the left of Figure 1, it is unlikely to be equipped to
undertake the consulting activities in the centre.
Consulting roles
The centre of Figure 1 shows the consulting roles that internal audit may
undertake in relation to ERM. In general the further to the right of the
dial that internal audit ventures, the greater are the safeguards that are
required to ensure that its independence and objectivity are maintained.
Some of the consulting roles that internal audit may undertake are:
Making available to management tools and techniques used by
internal audit to analyse risks and controls;
Being a champion for introducing ERM into the organisation,
leveraging its expertise in risk management and control and its
overall knowledge of the organisation;
Providing advice, facilitating workshops, coaching the organisation
on risk and control and promoting the development of a common
language, framework and understanding;
Acting as the central point for coordinating, monitoring and
reporting on risks; and
Supporting managers as they work to identify the best way to
mitigate a risk.
The key factor in deciding whether consulting services are compatible
with the assurance role is to determine whether the internal auditor is
assuming any management responsibility. In the case of ERM, internal
1The
audit can provide consulting services so long as it has no role in
actually managing risks – that is management’s responsibility – and so
long as senior management actively endorses and supports ERM. We
recommend that, whenever internal audit acts to help the management
team to set up or to improve risk management processes, its plan of
work should include a clear strategy and timeline for migrating the
responsibility for these activities to members of the management team.
Safeguards
Internal audit may extend its involvement in ERM, as shown in Figure 1 ,
provided certain conditions apply. The conditions are:
It should be clear that management remains responsible for risk
management.
The nature of internal audit’s responsibilities should be documented
in the audit charter and approved by the Audit Committee 3.
Internal audit should not manage any of the risks on behalf of
management.
Internal audit should provide advice, challenge and support to
management’s decision making, as opposed to taking risk
management decisions themselves.
Internal audit cannot also give objective assurance on any part of the
ER M framework for which it is responsible. Such assurance should
be provided by other suitably qualified parties 4.
Any work beyond the assurance activities should be recognised as a
consulting engagement and the implementation standards related to
such engagements should be followed5.
Skills and body of knowledge
Internal auditors and risk managers share some knowledge, skills and
values. Both, for example, understand corporate governance
requirements, have project management, analytical and facilitation
skills and value having a healthy balance of risk rather than extreme
risk-taking or avoidance behaviours. However, risk managers as such
serve only the management of the organisation and do not have to
provide independent and objective assurance to the audit committee.
Nor should internal auditors who seek to extend their role in ERM
underestimate the risk managers’ specialist areas of knowledge (such
as risk transfer and risk quantification and modelling techniques)
which are outside the body of knowledge for most internal auditors.
Any internal auditor who cannot demonstrate the appropriate skills
and knowledge should not undertake work in the area of risk
management. Furthermore, the head of internal audit should not
provide consulting services in this area if adequate skills and
knowledge are not available within the internal audit function and
cannot be obtained from elsewhere 6.
Value Agenda, Institute of Internal Auditors – UK and Ireland and Deloitte & Touche 2003 2 The IIA-UK and Ireland Position Statement on Risk Based Internal Auditing 2003
Standard 1000.C1 4Attribute Standard 1130 5Perfomance Standards 2010,C1, 2110.C1 & C2, 2120.C1 & C2, 2130.C1, 2201.C1, 2210.C1, 2220.C1, 2240.C1, 2330.C1,
2410.C1, 2440.C1 & C2 and 2500.C1 6Attribute Standard 1210
3Attribute
Position statement:
The Role of Internal Audit in Enterprise-wide Risk Management
Conclusion
Enterprise: Any organisation established to achieve a set of objectives.
Risk management is a fundamental element of corporate governance.
Management is responsible for establishing and operating the risk
management framework on behalf of the board. Enterprise-wide risk
management brings many benefits as a result of its structured, consistent
and coordinated approach. Internal audit’s core role in relation to ERM
should be to provide assurance to management and to the board on the
effectiveness of risk management. When internal audit extends its activities
beyond this core role, it should apply certain safeguards, including treating
the engagements as consulting services and, therefore, applying all
relevant Standards. In this way, internal audit will protect its independence
and the objectivity of its assurance services. Within these constraints, ERM
can help raise the profile and increase the effectiveness of internal audit.
Enterprise-wide risk management (ERM): A structured, consistent
and continuous process across the whole organisation for identifying,
assessing, deciding on responses to and reporting on opportunities and
threats that affect the achievement of its objectives.
Glossary of terms
Assurance Services: An objective examination of evidence for the
purpose of providing an independent assessment on risk management,
control, or governance processes for the organisation. Examples may
include financial, performance, compliance, system security, and due
diligence engagements.
Board: A board is an organisation’s governing body, such as a board of
directors, supervisory board, head of an agency or legislative body,
board of governors or trustees of a non profit organisation.
Champion: Someone who supports and defends a person or cause.
Therefore, a champion of risk management will promote its benefits,
educate an organisation’s management and staff in the actions they
need to take to implement it and will encourage them and support them
in taking those actions.
Consulting Services: Advisory and related client service activities, the
nature and scope of which are agreed with the client and which are
intended to add value and improve an organisation’s governance, risk
management, and control processes without the internal auditor
assuming management responsibility. Examples include counsel, advice,
facilitation, and training.
Control: Any action taken by management, the board, and other parties
to manage risk and increase the likelihood that established objectives
and goals will be achieved. Management plans, organizes, and directs
the performance of sufficient actions to provide reasonable assurance that
objectives and goals will be achieved.
Facilitating: Working with a group (or individual) to make it easier for
that group (or individual) to achieve the objectives that the group has
agreed for the meeting or activity. This involves listening, challenging,
observing, questioning and supporting the group and its members. It
does not involve doing the work or taking decisions.
Risk: The possibility of an event occurring that will have an impact on
the achievement of objectives. Risk is measured in terms of impact
and likelihood.
Risk Appetite: The level of risk that is acceptable to the board or
management. This may be set in relation to the organisation as a whole,
for different groups of risks or at an individual risk level.
Risk Management Framework: The totality of the structures,
methodology, procedures and definitions that an organisation has
chosen to use to implement its risk management processes.
Risk Management Processes: Processes to identify, assess, manage,
and control potential events or situations, to provide reasonable
assurance regarding the achievement of the organisation’s objectives.
Risk Maturity: The extent to which a robust risk management
approach has been adopted and applied, as planned, by management
across the organisation to identify, assess, decide on responses to and
report on opportunities and threats that affect the achievement of the
organisation’s objectives.
Risk Responses: The means by which an organisation elects to
manage individual risks. The main categories are to tolerate the risk; to
treat it by reducing its impact or likelihood; to transfer it to another
organisation or to terminate the activity creating it. Internal controls are
one way of treating a risk.
Position statement:
The Role of Internal Audit in Enterprise-wide Risk Management
Further reading
If you would like to find out more about the subject of risk management the following publications may be of interest to you:
Publication and Author
Risk Management: Changing the Internal Auditor’s Paradigm
by Georges Selim and David McNamee
Publisher
IIA Research Foundation
IIA Professional Briefing Note 13: Managing Risk
IIA-UK and Ireland
The Complete Guide to Business Risk Management by Kit Sadgrove
Gower
Operational Risk and Resilience: Understanding and minimising operational risk to
secure shareholder value by PriceWaterhouseCoopers
Butterworth Heinemann
Risk Management Guide 2001
It’s a Risky Business
White Page
CIPFA
The Risk Management Standard
IRM, AIRMIC and ALARM
AN Z Risk Management Standard
Standards Australia and Standards New Zealand
Enterprise Risk Management Framework
COSO
Risk Management in the Public Services
CIPFA & ALARM
Independence and Objectivity – Professional Issues Bulletin 2003
IIA - UK and Ireland
Embedding Risk Management into the Culture of your organisation –
Professional Briefing Note 2003
IIA - UK and Ireland
Managing business risk – Adam Jolly
IOD, Ernst & Young and Kogan Page
The universe of risk – Pamela Shimell
Pearson Education and FT
Management of risk – OGC
TSO
Enterprise wide risk management – James Deloach
Pearson Education and FT
Risk – John Adams
Routledge
Risk management for company executives – John Smullen
Pearson Education and Financial Times Prentice Hall
Enterprise Risk Management: Trends & Emerging Practices – Miccolis, Hively, and Merkley
IIA Research Foundation
Enterprise Risk Management: Pulling it All Together – Walker, Shenkir and Barton
IIA Re search Foundation
You may also find the following websites of interest:
Website Address
Title or Organisation
www.theiia.org
The Institute of Internal Auditors
www.iia.org.uk
Institute of Internal Auditors – UK and Ireland
www.gee.co.uk
Gee Publishing
www.corpgov.net
Corporate Governance Site
www.coso.org
The Committee for Sponsoring Organizations (COSO)
www.theirm.org
The Institute of Risk Management (IRM)
www.airmic.com
The Association of Insurance and Risk Managers (AIRMIC)
www.alarm-uk.com
The National Forum for Risk Management in the Public Sector (ALARM)
www.whitepage.co.uk
White Page web-site
www.standards.org.au
Standards Australia
www.standards.co.nz
Standards New Zealand
Position statement:
The Role of Internal Audit in Enterprise-wide Risk Management
About the Institute
About position statements
Established in 1941, The Institute of Internal Auditors (IIA) is an
international professional association with global headquarters in
Altamonte Springs, Florida, USA. The IIA has more than 95,000 members
in internal auditing, risk management, governance, internal control,
IT audit, education, and security. With representation from more than
160 countries, The Institute is the recognized authority, principal
educator, and acknowledged leader in certification, research and
technological guidance for the profession worldwide.
Position statements are part of a range of technical and professional
guidance prepared by the Institute for its members. They are designed
to clarify The IIA’s official policy position on important and potentially
complex matters confronting internal auditors.
Copyright
The copyright of the position statement is jointly held. For permission
to reproduce in the UK or Ireland, please contact IIA-UK and Ireland.
For permission to reproduce elswhere, please contact The Institute of
Internal Auditors at [email protected].
For details of other guidance material provided by The Institute please
visit our website, www.theiia.org
Disclaimer
This technical guidance material is not intended to provide definitive
answers to specific individual circumstances and as such is only
intended to be used as a guide. The Institute recommends that you
always seek independent expert advice relating directly to any
specific situation. The Institute accepts no responsibility for anyone
placing sole reliance on this technical guidance.
www.iia.org.uk
www.theiia.org
Institute of Internal Auditors – UK and Ireland Ltd
13 Abbeville Mews, 88 Clapham Park Road, London SW4 7BX UK
Telephone +44 (0) 20 7498 0101
Fax +44 (0) 20 7978 2492
Email [email protected]
The Institute of Internal Auditors
247 Maitland Avenue, Altamonte Springs, Florida 32701, USA
Telephone +1-407-937-1100
Fax +1-407-937-1101
Email [email protected]
Registered in England and Wales, no. 1 474735
© September 2004
ERM Essentials
ERM Essentials
Introduction
Overview
In this unit, we are going to take a closer look at several ERM essentials that need to be in place
before you start your initial rollout of ERM.
Objectives
By the end of this unit, you should be able to:
•
Identify the four essentials of ERM.
www.theiia.org/training
-2-
ERM Essentials
Enterprise Risk Management Essentials
Warm-up
What are some of the ERM “essentials”?
Is reputation damage a risk event, impact factor, or likelihood factor?
Is a missed opportunity a risk event, impact factor, or likelihood factor?
Is a reliance on a key employee a risk event, impact factor, or likelihood factor?
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-3-
ERM Essentials
Essential 1 - Language
What Is Risk?
•
The uncertainty of an event occurring that could have an impact on the achievement
of objectives. Risk is measured in terms of impact and likelihood.
•
Any threat or barrier that could prevent an organization from achieving its
management objectives.
•
Your organization’s “working definition” of risk?
Instructions
Using brainstorming techniques identify at least 5 ERM technical terms that would illustrate
the language used in implementation of an ERM process. Once these terms have been
identified, write a working definition of the terms that would help in communicating the ERM
process to management.
www.theiia.org/training
-4-
ERM Essentials
Essential 2 - Process
•
COSO Categories of Objectives
COSO Objectives
•
Strategic Objectives
•
Reporting Objectives
•
Compliance Objectives
•
Operations Objectives
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-5-
ERM Essentials
Essential 3- Ratings
Rating Scales
•
High, Moderate, Low
•
1-5
•
Other?
Rating Factors
•
Qualitative
•
Quantitative
•
Other?
Purpose/Challenge – The challenge is to come up with a manageable number of meaningful
risk rating factors to build in to their ERM process.
Instructions – Using brainstorming techniques identify five factors that could be used to rate
impact and five factors to rate likelihood.
Impact Factors
Likelihood Factors
•
•
•
•
•
•
•
•
•
•
www.theiia.org/training
-6-
ERM Essentials
Essential 4 - The Big Picture
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-7-
ERM Essentials
Activity: Real World Risks
Instructions
Select a real world activity. Identify 2-3 possible objectives and 2-3 events (for each objective)
that have a high-level of inherent risk.
Deliverable
Be prepared to present your team’s results.
Real World Activity:
Objectives
(Strategic, Reporting, Compliance,
Operations)
Events
•
•
•
•
•
•
If you cannot think of an activity you may consider the following scenario:
The participants in your group are all volunteers serving their community on the Parks &
Recreation Council. The mayor has offered funding for all the new equipment you requested
in your study for a children's play area, including swings, a merry go-around, and a sandbox,
but remains very skeptical about the installation of a slide. The mayor believes a slide will
introduce far more risk than the city is prepared to accept. All existing parks in the community
are required to be self-monitoring through parental supervision.
www.theiia.org/training
-8-
ERM Essentials
The mayor has given the members of your council a few minutes to reconsider the idea of the
installation of a slide in the park, as your previous submission on the design of the play area
indicated the slide was a key feature of the playground. Your team has decided to use the
COSO ERM model for risk management to influence the decision.
Process:
•
Determine 2-3 objectives (Strategic, Reporting, Compliance, Operations)
•
Identify some events
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-9-
ERM Essentials
Unit Conclusion
Summary
You have completed the lesson “ERM Essentials.” Here is a key point:
•
A risk language is one of the essentials. Others are: a process, ratings, and the big
picture. The language needs to be able to be organization- and people-friendly. Often,
it is more than materiality and controls that drive the risk ratings. Although the process
is simple in theory, the challenge is putting it into practice.
www.theiia.org/training
- 10 -
ERM Essentials
Participant Expectations, Ideas, and Insights
Record actions you can take in your organization to implement the topics discussed in this unit.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 11 -
Internal Environment
Internal Environment
Introduction
Overview
We have completed our ERM overview units of what ERM is and is not, as well as the
essentials. Now it is time to start our tour of the ERM framework. In the next few units, we
are going to take a closer look at each of the components in the framework. In these units you
will have many opportunities to benchmark your ERM plans and activities.
Objectives
By the end of this unit, you should be able to:
•
Identify the impact the internal environment has on the enterprise risk management
process.
Resources
Readings and Resources
•
Reading: Culture of Assurance
•
Exhibit 4-1: Ameritech
•
Exhibit 4-2: El-Paso
www.theiia.org/training
-2-
Internal Environment
Internal Environment
Internal Environment Overview
•
Is the foundation for all other components
•
Influences how strategies and objectives are established
•
Is influenced by the entity’s history and culture
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-3-
Internal Environment
Internal Environment; Factors
How can some of the COSO Control Environment factors affect ERM, and how can you
evaluate their effectiveness (i.e., are they enablers or barriers)?
•
Risk Management Philosophy
•
Risk Appetite
•
Board of Directors
•
Integrity and Ethical Values
•
Commitment to Competence
•
Organization Structure
•
Assignment of Authority/Responsibility
•
Human Resources Policies/Practices
•
Risk Culture
www.theiia.org/training
-4-
Internal Environment
A Closer Look: ERM Philosophy
ERM Philosophy
•
Beliefs about risks, how it conducts its activities, and deals with risks
•
The value the entity seeks from ERM
•
The philosophy influences how ERM is applied
ERM Philosophical Challenges and Lessons Learned
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-5-
Internal Environment
Risk Appetites
Risk Appetite: The amount of risk the entity is willing to accept in pursuit of value
•
Expressed in qualitative or quantitative terms
•
Considered in strategy setting:
•
Rewards aligned with appetite
•
Strategy consistent with appetite
www.theiia.org/training
-6-
Internal Environment
Risk Culture
•
Shared set of attitudes, values, and practices: how entity considers risk in daily activities
•
Flows from philosophy and appetite
•
Reality Checks: risk subcultures and different environments
ERM Challenges and Lessons Learned
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-7-
Internal Environment
Exercise: Readiness Check
Instructions
•
Review Exhibit 4–1 and 4–2 which are survey examples from Ameritech and El-Paso.
•
Develop 10 survey statements or questions that could be used in an Internal
Environment Readiness Check. Feel free to come up with your own items that are not
included in either of these surveys.
•
Discuss your survey approach (i.e., who would be surveyed, tools, etc.).
•
Deliverable — Be prepared to discuss your results
Source
Statement/Question
www.theiia.org/training
-8-
Internal Environment
Reading: Culture of Assurance
Please turn to the appendix for the reading: Culture of Assurance.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-9-
Internal Environment
Exhibit: ERM Readiness Check Exercise
Ameritech Assessment Survey
YOUR DEPARTMENT: _______________________________________________
In what state is your office located? ______________________ IL MI OH IN WI
Other
(PLEASE CIRCLE THE ONE RESPONSE THAT BEST DESCRIBES YOUR
REACTION TO EACH STATEMENT)
KEY:SA =Strongly Agrees
= Don’t Know
A = Agrees
D = Disagrees
SD = Strongly Disagrees
DK
SECTION I: Company Culture
The company culture sets the tone of an organization, influencing the control consciousness of its people. It is the
foundation for all other components of internal control (PLEASE CIRCLE ONE FOR EACH.)
1. Senior management of my business unit
demonstrates high ethical standards.
SA
A
D
SD
DK
2. Senior management of my business unit
strives to comply with laws/regulations
affecting the company.
SA
A
D
SD
DK
3. My supervisor complies with laws/
regulations affecting the company.< /LI>
SA
A
D
SD
DK
4. The performance targets in my work unit are
realistic and obtainable.
SA
A
D
SD
DK
5. Employees in my work unit have the
knowledge, skill and training to perform
their job adequately.
SA
A
D
SD
DK
6. My business unit learns from its mistakes.
SA
A
D
SD
DK
7. Personnel turnover has not impaired my
work unit’s ability to effectively perform its
function.
SA
A
D
SD
DK
8. Integrity of financial and operational results
always takes priority over reporting
acceptable performance targets.
SA
A
D
SD
DK
www.theiia.org/training
- 10 -
Internal Environment
9. Employees in my work unit are treated fairly
and justly.
SA
A
D
SD
DK
10. Employees in my work unit do not have to
take unnecessary safety risks to perform
their job.
SA
A
D
SD
DK
11. If you disagree/strongly disagree with any of the above questions on the company
culture, why do you feel this way?
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 11 -
Internal Environment
SECTION II: Goals and Obstacles
Organizations identify and analyze potential obstacles to the achievement of their goals in order to determine
how to manage the obstacles. (PLEASE CIRCLE ONE FOR EACH.)
12. For the coming year I am accountable for
defined, measurable objectives.
SA
A
D
SD
DK
(27)
13. I have sufficient resources, tools and time to
accomplish my objectives.
SA
A
D
SD
DK
(28)
14. In my department, we identify barriers and
obstacles and resolve issues that could impact
achievement of objectives.< /LI>
SA
A
D
SD
DK
(29)
15. In my department, the processes supporting
new products, services, technology and other
significant changes are adequately managed.
SA
A
D
SD
DK
(30)
16. My business unit adequately takes into
account customer impacts in its decisions and
actions.
SA
A
D
SD
DK
(31)
17. If you disagree/strongly disagree with any of the above questions on the company
culture, why do you feel this way?
______________________________________________________________________
______________________________________________________________________
18. In your opinion, what are the primary business/financial risks facing you business unit?
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
______________________________________________________________________
www.theiia.org/training
- 12 -
Internal Environment
SECTION IV: Information and Communications
Pertinent information must be identified, captured, and communicated in a form and time frame that enables
people to carry out their responsibilities. (PLEASE CIRCLE ONE FOR EACH.)
19. Our information systems provide
SA
management with timely reports on my unit’s
performance relative to established objectives.
A
D
SD
DK
(37)
20. Mechanisms and incentives are in place for me
to provide recommendations for process
improvements.
SA
A
D
SD
DK
(38)
21. The interaction between senior management
and my work unit enables us to perform our
jobs effectively.< /LI>
SA
A
D
SD
DK
(39)
22. The communication across department
boundaries within my business unit enables us
to perform our jobs effectively.
SA
A
D
SD
DK
(40)
23. The communication across business unit
boundaries enables people to perform their
jobs effectively.
SA
A
D
SD
DK
(41)
24. Senior management at Ameritech
Corporation is informed and aware of my
business unit’s actual performance.
SA
A
D
SD
DK
(42)
25. A communication channel exists for reporting
suspected improprieties.
SA
A
D
SD
DK
(43)
26. Persons who report suspected improprieties
are protected from reprisal.
SA
A
D
SD
DK
(44)
27. If I report wrongdoing to my supervisor, I am
confident that the wrongdoing will stop.
SA
A
D
SD
DK
(45)
28. If you disagree/strongly disagree with any of the above questions on Information and
Communications, why do you feel this way?
______________________________________________________________________
______________________________________________________________________
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 13 -
Internal Environment
SECTION V: Evaluation and Feedback
Through evaluation and feedback processes, an organization assesses, tracks and monitors its performance over
time. (PLEASE CIRCLE ONE FOR EACH.)
29. Information reported to senior
management reflects the actual results of
operations in my work unit.
SA
A
D
SD
DK
(47)
30. I have enough information to monitor
vendor performance.
SA
A
D
SD
DK
(48)
31. I have enough information to monitor
customers’ satisfaction or dissatisfaction
(either internal or external).< /LI>
SA
A
D
SD
DK
(49)
32. External and/or internal customer feedback
and complaints are followed up on in a
timely and effective manner.
SA
A
D
SD
DK
(50)
33. The quality of output in my work unit is
measurable.
SA
A
D
SD
DK
(51)
34. Employees in my work unit know what
actions to take when they find mistakes or
gaps in performance.
SA
A
D
SD
DK
(52)
35. My supervisor reviews my performance
with me at appropriate intervals.
SA
A
D
SD
DK
(53)
36. I know what action to take if I become
aware of unethical or fraudulent activity.
SA
A
D
SD
DK
(54)
37. If you disagree/strongly disagree with any of the above questions on Evaluation and
Feedback, why do you feel this way?
______________________________________________________________________
______________________________________________________________________
www.theiia.org/training
- 14 -
Internal Environment
Elpaso Control Assessment Survey (Excerpts)
Integrity and Ethical Values
A company’s objectives and the way they are achieved are based on preferences, value
judgments, and management styles. Those preferences and value judgments that translate into
standards of behavior reflect management’s integrity and its commitment to ethical values. A
company’s good reputation is so valuable; the standard of behavior must go beyond mere
compliance with the law. In awarding reputation to the best companies, society expects more
than that. The effectiveness of a system of internal control cannot rise above the integrity and
ethical values of the personnel who create, administer, and monitor it. Integrity and ethical
values are essential elements of the control environment, affecting the design, administration,
and monitoring of other internal control components.
Agree = 5, Disagree = 1
38. The Company’s Code of Conduct and other
policies regarding acceptable business practice,
conflicts of interest, and expected ethical
standards of ethical and moral behavior are
comprehensive and relevant and address matters
of significance to you.
5
4
3
2
1
NA
39. Employees fully and clearly understand what
behavior is acceptable and unacceptable under
the Company’s Code of Conduct and know what
to do when they encounter improper behavior.
5
4
3
2
1
NA
40. Management frequently and clearly
communicates the importance of integrity and
ethical behavior during staff meetings and/or
one-on-one discussions.< /LI>
5
4
3
2
1
NA
41. Management demonstrates a commitment to
integrity and ethical behavior by example in their
day-to-day activities.
5
4
3
2
1
NA
42. Employees are generally inclined to do the “right
thing” when faced with pressures to cut corners
with regard to policies and procedures.
5
4
3
2
1
NA
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 15 -
Internal Environment
43. Management addresses and resolves violations
of behavioral and ethical standards consistently,
timely, and equitably in accordance with the
provisions of the Company’s Code of Conduct.
5
4
3
2
1
NA
44. The existence of the Company’s Code of
Conduct and the consequences of its breach are
an effective deterrent to unethical behavior.
5
4
3
2
1
NA
45. Management strictly prohibits circumvention of
established policies and procedures, except
where specific guidance has been provided, and
demonstrates commitment to this principle.
5
4
3
2
1
NA
Comments:
www.theiia.org/training
- 16 -
Internal Environment
Management’s Philosophy and Operating Style
Management’s philosophy and operating style affect the way the Company is managed,
including the kinds of business risk accepted. A company that has been successful taking
significant risks may have a different outlook on internal control than one that has faced harsh
economic or regulatory consequences as a result of venturing into dangerous territory. An
informally managed company may control operations largely by face-to-face contact with key
managers. A more formally managed one may rely more on written policies, performance
indicators, and exception reports.
Agree = 5, Disagree = 1
46. Management accepts the appropriate amount of
business risk.
5
4
3
2
1
NA
47. Key personnel have not resigned unexpectedly or
on short notice, and employee turnover is not
excessive.
5
4
3
2
1
NA
48. Employees in your function feel they are adding
value within the Company’s overall strategy.
5
4
3
2
1
NA
49. Management meetings are held periodically within
your function and are frequently attended by senior
management.
5
4
3
2
1
NA
50. Objectives established by senior management are
realistic and achievable.
5
4
3
2
1
NA
51. Management views accounting treatment for
transactions or activities in a balanced manner,
neither too aggressive nor too conservative.
5
4
3
2
1
NA
52. Management views accounting function as an
important element in the overall system of internal
control rather than an obstacle to be avoided or
overcome.
5
4
3
2
1
NA
53. Management routinely assesses various risks to
achieving business objectives.
5
4
3
2
1
NA
54. Management appropriately balances the focus on
short-term reported results with long-term business
objectives and does not exert inappropriate
pressure to achieve earnings objectives.
5
4
3
2
1
NA
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 17 -
Internal Environment
55. Estimates required for your function’s activities are
based on sound models, verifiable market data, and
fair assumptions.
5
4
3
2
1
NA
Comments:
Organizational Structure
A company’s organizational structure provides the framework within which its activities for
achieving company-wide objectives are planned, executed, controlled, and monitored.
Significant aspects of establishing a relevant organizational structure include defining key areas
of authority and responsibility and establishing appropriate lines of reporting.
Agree = 5, Disagree = 1
56. Management treats your function as an integral
part of the Company’s overall operations..
5
4
3
2
1
NA
57. The current organizational structure facilitates the
flow of information both up and down within your
function and across to other functions.
5
4
3
2
1
NA
58. Managers and process owners in your function
have ready access to senior management in
addressing significant issues.< /LI>
5
4
3
2
1
NA
59. The organizational structure in your function
provides adequate supervisory and managerial
oversight.
5
4
3
2
1
NA
60. Management periodically evaluates the
organizational structure relevant to your function
in light of changes in the scope, nature, or extent
of your operations.
5
4
3
2
1
NA
61. Employees do not work excessive overtime and do
not fulfill the responsibilities of more than one
employee.
5
4
3
2
1
NA
Comments:
www.theiia.org/training
- 18 -
Internal Environment
Control Activities in Place
Control activities are a significant part of the process by which a company strives to achieve
its business objectives. Control activities serve as mechanisms for managing and mitigating
risk, thereby enabling the achievement of objectives. Control is built directly into processes
and always relates back to the risk it was designed to mitigate. Control activities which are
added on in reaction to insignificant or non-existent risks can result in burdensome layers of
redundant controls which can increase cost and impede efficiency.
Agree = 5, Disagree = 1
62. Control activities described in policy and procedure
manuals are actually applied the way they are
intended to be applied and relate clearly to
identified risks.
5
4
3
2
1
NA
63. Supervisory personnel periodically review the
functioning and overall effectiveness of controls.
5
4
3
2
1
NA
64. Responsibilities in your function have been
assigned in a manner which precludes any
individual from processing data transactions in their
entirety or from maintaining records for
transactions in which the individual participated.<
/LI>
5
4
3
2
1
NA
65. Effective procedures have been established for the
routine verification of the accuracy of data when it
is entered, processes, generated, distributed, or
transferred.
5
4
3
2
1
NA
66. Individuals from your function have appropriate
responsibility for control over assets and data and
the processing of transactions.
5
4
3
2
1
NA
67. Effective contingency plans have been developed
and documented for your function to deal with
service interruptions if they occur.
5
4
3
2
1
NA
68. Periodic tests of contingency and disaster recovery
plans take place to make sure they are current,
operational, and effective.
5
4
3
2
1
NA
Comments:
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 19 -
Internal Environment
Unit Conclusion
Summary
You have completed the lesson “Internal Environment” Here is a key point:
•
Real-world ERM philosophy is a key factor in sustaining the ERM process. Continuous
maintenance is important as well as understanding that risk events can occur in any
organization. Competence enablers include effective hiring/training programs, good
judgment, communication, and correct supervision. Individual functions will have
different risk appetites and cultures (e.g., sales v. compliance, research and
development v. quality control). The key point is that these factors can work at crosspurposes or complement each other.
www.theiia.org/training
- 20 -
Internal Environment
Participant Expectations, Ideas, and Insights
Record actions you can take in your organization to implement the topics discussed in this unit.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 21 -
Enterprise Risk Management: An Introduction
Ameritech Assessment Survey
YOUR DEPARTMENT:
In what state is your office located?
IL
MI OH
IN
WI
Other
(PLEASE CIRCLE THE ONE RESPONSE THAT BEST DESCRIBES YOUR REACTION TO
EACH STATEMENT)
KEY:
SA =Strongly Agrees
A = Agrees
D = Disagrees
SD = Strongly Disagrees
DK = Don’t Know
SECTION I: Company Culture
The company culture sets the tone of an organization, influencing the control consciousness of
its people. It is the foundation for all other components of internal control (PLEASE CIRCLE
ONE FOR EACH.)
1. Senior management of my business unit
demonstrates high ethical standards.
SA
A
D
SD
DK
2. Senior management of my business unit strives to
comply with laws/regulations affecting the company.
SA
A
D
SD
DK
3. My supervisor complies with laws/regulations
affecting the company.
SA
A
D
SD
DK
4. The performance targets in my work unit are realistic
and obtainable.
SA
A
D
SD
DK
5. Employees in my work unit have the knowledge, skill
and training to perform their job adequately.
SA
A
D
SD
DK
6. My business unit learns from its mistakes.
SA
A
D
SD
DK
7. Personnel turnover has not impaired my work unit’s
ability to effectively perform its function.
SA
A
D
SD
DK
8. Integrity of financial and operational results always
takes priority over reporting acceptable performance
targets
SA
A
D
SD
DK
9. Employees in my work unit are treated fairly and
justly.
SA
A
D
SD
DK
SA
A
D
SD
DK
10. Employees in my work unit do not have to take
unnecessary safety risks to perform their job.
11. If you disagree/strongly disagree with any of the above questions on the company culture,
why do you feel this way?
The Institute of Internal Auditors, Inc. Altamonte Springs, FL ©2009
Exhibit 4-1-1
Enterprise Risk Management: An Introduction
SECTION II: Goals and Obstacles
Organizations identify and analyze potential obstacles to the achievement of their goals in order
to determine how to manage the obstacles. (PLEASE CIRCLE ONE FOR EACH.)
12. For the coming year I am accountable for defined,
measurable objectives.
SA
A
D
SD
DK
(27)
13. I have sufficient resources, tools and time to
accomplish my objectives.
SA
A
D
SD
DK
(28)
14. In my department, we identify barriers and obstacles
and resolve issues that could impact achievement of
objectives.
SA
A
D
SD
DK
(29)
15. In my department, the processes supporting new
products, services, technology and other significant
changes are adequately managed.
SA
A
D
SD
DK
(30)
16. My business unit adequately takes into account
customer impacts in its decisions and actions.
SA
A
D
SD
DK
(31)
17. If you disagree/strongly disagree with any of the above questions on the company culture,
why do you feel this way?
18. In your opinion, what are the primary business/financial risks facing you business unit?
SECTION III: Policies and Procedures
Policies, procedures and other safeguards help ensure that objectives are accomplished.
(PLEASE CIRCLE ONE FOR EACH.)
19. The policies and procedures in my work unit allow
me to do my job effectively.
SA
A
D
SD
DK
(32)
20. Employees who steal from the company (physical
property, money, information, time) will be
discovered.
SA
A
D
SD
DK
(33)
21. Employees who steal from the company and are
discovered will be subject to appropriate
consequences.
SA
A
D
SD
DK
(34)
22. Employees who beak laws and regulations affecting
the company will be discovered
SA
A
D
SD
DK
(35)
23. Employees who break laws and regulations affecting
the company and are discovered will be subject to
appropriate consequences.
SA
A
D
SD
DK
(36)
The Institute of Internal Auditors, Inc. Altamonte Springs, FL ©2009
Exhibit 4-1-2
Enterprise Risk Management: An Introduction
24. If you disagree/strongly disagree with any of the above questions on Policies and
Procedures, why do you feel this way?
SECTION IV: Information and Communications
Pertinent information must be identified, captured, and communicated in a form and time frame
that enables people to carry out their responsibilities. (PLEASE CIRCLE ONE FOR EACH.)
25. Our information systems provide management with
timely reports on my unit’s performance relative to
established objectives.
SA
A
D
SD
DK
(37)
26. Mechanisms and incentives are in place for me to
provide recommendations for process
improvements.
SA
A
D
SD
DK
(41)
27. The interaction between senior management and
my work unit enables us to perform our jobs
effectively.
SA
A
D
SD
DK
(42)
28. The communication across department boundaries
within my business unit enables us to perform our
jobs effectively.
SA
A
D
SD
DK
(43)
29. The communication across business unit boundaries
enables people to perform their jobs effectively.
SA
A
D
SD
DK
(44)
30. I have sufficient information to do my job.
SA
A
D
SD
DK
(45)
31. Senior management at Ameritech Corporation is
informed and aware of my business unit’s actual
performance.
SA
A
D
SD
DK
(46)
32. A communication channel exists for reporting
suspected improprieties.
SA
A
D
SD
DK
(38)
33. Persons who report suspected improprieties are
protected from reprisal.
SA
A
D
SD
DK
(39)
34. If I report wrongdoing to my supervisor, I am
confident that the wrongdoing will stop.
SA
A
D
SD
DK
(440)
35. If you disagree/strongly disagree with any of the above questions on Information and
Communications, why do you feel this way?
The Institute of Internal Auditors, Inc. Altamonte Springs, FL ©2009
Exhibit 4-1-3
Enterprise Risk Management: An Introduction
SECTION V: Evaluation and Feedback
Through evaluation and feedback processes, an organization assesses, tracks and monitors its
performance over time. (PLEASE CIRCLE ONE FOR EACH.)
36. Information reported to senior management reflects
the actual results of operations in my work unit.
SA
A
D
SD
DK
(47)
37. I have enough information to monitor vendor
performance.
SA
A
D
SD
DK
(48)
38. I have enough information to monitor customers’
satisfaction or dissatisfaction (either internal or
external).
SA
A
D
SD
DK
(49)
39. External and/or internal customer feedback and
complaints are followed up on in a timely and
effective manner.
SA
A
D
SD
DK
(50)
40. The quality of output in my work unit is measurable.
SA
A
D
SD
DK
(51)
41. Employees in my work unit know what actions to
take when they find mistakes or gaps in
performance.
SA
A
D
SD
DK
(52)
42. My supervisor reviews my performance with me at
appropriate intervals.
SA
A
D
SD
DK
(53)
43. I know what action to take if I become aware of
unethical or fraudulent activity.
SA
A
D
SD
DK
(54)
44. If you disagree/strongly disagree with any of the above questions on Evaluation and
Feedback, why do you feel this way?
The Institute of Internal Auditors, Inc. Altamonte Springs, FL ©2009
Exhibit 4-1-4
Enterprise Risk Management: An Introduction
CONTROL ASSESSMENT SURVEY (EXCERPTS)
Integrity and Ethical Values
A company’s objectives and the way they are achieved are based on preferences, value judgments, and
management styles. Those preferences and value judgments that translate into standards of behavior reflect
management’s integrity and its commitment to ethical values. A company’s good reputation is so valuable; the
standard of behavior must go beyond mere compliance with the law. In awarding reputation to the best
companies, society expects more than that. The effectiveness of a system of internal control cannot rise
above the integrity and ethical values of the personnel who create, administer, and monitor it. Integrity and
ethical values are essential elements of the control environment, affecting the design, administration, and
monitoring of other internal control components.
Agree
1.
2.
3.
4.
5.
6.
7.
8.
The Company’s Code of Conduct and other policies regarding acceptable
business practice, conflicts of interest, and expected ethical standards of
ethical and moral behavior are comprehensive and relevant and address
matters of significance to you.
Employees fully and clearly understand what behavior is acceptable and
unacceptable under the Company’s Code of Conduct and know what to do
when they encounter improper behavior.
Management frequently and clearly communicates the importance of integrity
and ethical behavior during staff meetings and/or one-on-one discussions.
Management demonstrates a commitment to integrity and ethical behavior by
example in their day-to-day activities.
Employees are generally inclined to do the “right thing” when faced with
pressures to cut corners with regard to policies and procedures.
Management addresses and resolves violations of behavioral and ethical
standards consistently, timely, and equitably in accordance with the provisions
of the Company’s Code of Conduct.
The existence of the Company’s Code of Conduct and the consequences of its
breach are an effective deterrent to unethical behavior.
Management strictly prohibits circumvention of established policies and
procedures, except where specific guidance has been provided, and
demonstrates commitment to this principle.
Disagree
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
Comments:
Management’s Philosophy and Operating Style
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Exhibit 4-2-1
Enterprise Risk Management: An Introduction
CONTROL ASSESSMENT SURVEY (EXCERPTS)
Management’s philosophy and operating style affect the way the Company is managed, including the
kinds of business risk accepted. A company that has been successful taking significant risks may have a
different outlook on internal control than one that has faced harsh economic or regulatory consequences
as a result of venturing into dangerous territory. An informally managed company may control operations
largely by face-to-face contact with key managers. A more formally managed one may rely more on
written policies, performance indicators, and exception reports.
Agree
19
20.
Management accepts the appropriate amount of business risk.
Key personnel have not resigned unexpectedly or on short notice, and
employee turnover is not excessive.
21. Employees in your function feel they are adding value within the Company’s
overall strategy.
22. Management meetings are held periodically within your function and are
frequently attended by senior management.
23. Objectives established by senior management are realistic and achievable.
24. Management views accounting treatment for transactions or activities in a
balanced manner, neither too aggressive nor too conservative.
25. Management views accounting function as an important element in the
overall system of internal control rather than an obstacle to be avoided or
overcome.
26. Management routinely assesses various risks to achieving business
objectives.
27. Management appropriately balances the focus on short-term reported results
with long-term business objectives and does not exert inappropriate pressure
to achieve earnings objectives.
28. Estimates required for your function’s activities are based on sound models,
verifiable market data, and fair assumptions.
Comments:
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Disagree
5
5
4
4
3
3
2
2
1
1
NA
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
5
4
4
3
3
2
2
1
1
NA
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
Exhibit 4-2-2
Enterprise Risk Management: An Introduction
CONTROL ASSESSMENT SURVEY (EXCERPTS)
Organizational Structure
A company’s organizational structure provides the framework within which its activities for achieving
company-wide objectives are planned, executed, controlled, and monitored. Significant aspects of
establishing a relevant organizational structure include defining key areas of authority and responsibility
and establishing appropriate lines of reporting.
Agree
29.
Management treats your function as an integral part of the Company’s overall
operations.
30. The current organizational structure facilitates the flow of information both up
and down within your function and across to other functions.
31. Managers and process owners in your function have ready access to senior
management in addressing significant issues.
32. The organizational structure in your function provides adequate supervisory
and managerial oversight.
33. Management periodically evaluates the organizational structure relevant to
your function in light of changes in the scope, nature, or extent of your
operations.
34. Employees do not work excessive overtime and do not fulfill the
responsibilities of more than one employee.
Comments:
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Disagree
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
Exhibit 4-2-3
Enterprise Risk Management: An Introduction
CONTROL ASSESSMENT SURVEY (EXCERPTS)
Control Activities in Place
Control activities are a significant part of the process by which a company strives to achieve its business
objectives. Control activities serve as mechanisms for managing and mitigating risk, thereby enabling the
achievement of objectives. Control is built directly into processes and always relates back to the risk it was
designed to mitigate. Control activities which are added on in reaction to insignificant or non-existent risks can
result in burdensome layers of redundant controls which can increase cost and impede efficiency.
Agree
59.
Control activities described in policy and procedure manuals are actually
applied the way they are intended to be applied and relate clearly to identified
risks.
60. Supervisory personnel periodically review the functioning and overall
effectiveness of controls.
61. Responsibilities in your function have been assigned in a manner which
precludes any individual from processing data transactions in their entirety or
from maintaining records for transactions in which the individual participated.
62. Effective procedures have been established for the routine verification of the
accuracy of data when it is entered, processes, generated, distributed, or
transferred.
63. Individuals from your function have appropriate responsibility for control over
assets and data and the processing of transactions.
64. Effective contingency plans have been developed and documented for your
function to deal with service interruptions if they occur.
65. Periodic tests of contingency and disaster recovery plans take place to make
sure they are current, operational, and effective.
Comments:
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Disagree
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
5
4
3
2
1
NA
Exhibit 4-2-4
Risk Identification and
Assessment
Risk Identification and Assessment
Introduction
Overview
In this unit, we will explore the core of the ERM process. After a brief overview of the factors
that make up the big three components, we will take a closer look at some additional COSO
factors.
Objectives
By the end of this unit, you should be able to:
•
Identify the components required when setting objectives for risk identification.
•
Identify the methodologies and techniques that are most effective during risk
identification and risk assessment.
•
Apply the components of risk assessment and risk identification to various situations.
www.theiia.org/training
-2-
Risk Identification and Assessment
Objective Setting and Risk Identification
Objective Setting Factors
•
Strategic Objectives
•
Related Objectives
•
Selected Objectives
•
Risk Appetite
•
Risk Tolerance
Identification and Assessment Factors
Risk Identification
Risk Assessment
•
Events
•
Inherent/Residual Risk
•
Internal/External Factors
•
Likelihood/Impact
•
Methodology/Techniques
•
•
Interdependence
Qualitative/Quantitative —
Methodology/Techniques
•
Categories
•
Correlation
•
Risks/Opportunities
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
-3-
Risk Identification and Assessment
A Closer Look at Risk Appetite and Tolerance
Selected Objectives
•
ERM doesn’t dictate — it does focus on management’s process.
Risk Appetite
•
Management and board roles
•
Strategies consistent with appetite
•
Resource allocations
Risk Tolerance
•
Acceptable variations
www.theiia.org/training
-4-
Risk Identification and Assessment
A Closer Look at Risk Identification and Assessment
•
Events/Factors/Categories
•
Methodology/Techniques
•
Interdependence/Correlation
•
Risks/Opportunities
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
-5-
Risk Identification and Assessment
Internal and External Factors
Events
•
Internal and External Sources
•
Potential Impact: Positive or Negative
•
Blind spots — Practical Considerations
Internal Factors
•
Infrastructure
•
People
•
Process
•
Technology
•
Other?
External Factors
•
Economic/Business
•
Natural
•
Political
•
Social
•
Technology
•
Other?
www.theiia.org/training
-6-
Risk Identification and Assessment
Event Factors and Categories
Event Categories
•
Why?
•
How many?
•
How to develop them?
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
-7-
Risk Identification and Assessment
Activity: Build Your Own Risk Categories
Instructions: Listed below are 28 risk factors. Management has asked your group to:
•
Use this list to build a manageable number of risk categories (no more than 7).
•
Place each risk factor in one category. Do not worry about the impact or likelihood of
factors.
•
Identify any other significant risk factors that the organization may need to consider.
Risk Factors — Sources of Risk
Applicable laws
Business interruption
Capital adequacy
Contract risk
Coordination/communication
Counterparty risk
Competition
Customers
Economy
Foreign exchange
Fraud/theft/misuse
Governance
Inefficiency
Information/data quality
Interest rate risk
Intellectual capital
Investment/credit risk
Liquidity
Media
People
Process/service quality
Resources
Pressure to meet goals
Regulations
Sensitive Information
Strategic Alliances/Partners
Stakeholders
Obsolescence
www.theiia.org/training
-8-
Risk Identification and Assessment
Risk Category
#1–
#2–
#3–
#4–
#5–
#6–
#7–
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
-9-
Risk Identification and Assessment
Methodologies and Techniques
Methodology and Techniques Overview
Risk Identification
•
Event Inventories
•
Internal Analysis
•
Escalation Triggers
•
Leading Indicators
•
Loss Event Data
•
Process Flow Analysis
•
Facilitated Workshops and Interviews
•
Other?
Risk Assessment
•
Qualitative, Quantitative, “Blends”
•
Benchmarking
•
Probabilistic Models
•
Non-probabilistic Models
•
Facilitated Workshops and Interviews
•
Other?
www.theiia.org/training
- 10 -
Risk Identification and Assessment
Case Study 1
Case Study
Forecasting and Risk Exploitation
•
Risk/Opportunity Identification – Done by senior management via questionnaires
or 1½ day workshops.
•
Risk/Opportunity Evaluation, Handling, and Reporting – Completed by
business divisions during monthly forecasting.
•
Aggregation – Risk management reviews the reports, discusses the handling of risks/
opportunities, and produces an overall version. Risk report matters are regularly
discussed with the Chief Operating Officer.
Are there any parts of this process that you can, or have, used in your risk management
process?
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 11 -
Risk Identification and Assessment
Case Study 2
Case Study
•
Strategy Assessment – Risk management facilitates a 1½-day workshop attended by
organization executives. Risks mapped based on impact/likelihood. Red risks are
analyzed and risk drivers are identified and quantified.
•
Strategy Development – Executives choose the risk mitigators/risk management
alternatives that they will use. They also agree on a desired risk profile.
•
Business Plan – The risk management strategy is integrated into the business
planning process.
•
Ongoing Management Process – Business unit management evaluates and reports
on progress in managing the risks and achieving the desired risk profile.
Are there any parts of this process that you can, or have, used in your risk management
process?
www.theiia.org/training
- 12 -
Risk Identification and Assessment
Case Study 3
Case Study
•
Business Vision/Objectives
•
Risk Framework/Universe – Decision-makers from various functions are surveyed
and asked to identify a half dozen significant business risks. The ERM committee
compiles the data into a risk matrix and merges the risks into 20–35 categories.
•
Risk Workshops – An ERM teams facilitates workshops that are attended by 15–20
cross-functional participants. Risk categories are discussed and rated. The deliverable
is a risk map that shows the impact and likelihood.
•
Control/Action Workshops – These facilitated workshops are attended by 8–12
cross-functional participants. High priority risks are evaluated and action plans with
assigned responsibilities are developed.
•
Monitoring – Action plans status is reported quarterly. Progress and any gaps are
monitored.
Are there any parts of this process that you can, or have, used in your risk management
process?
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 13 -
Risk Identification and Assessment
Risk/Control Workshops
www.theiia.org/training
- 14 -
Risk Identification and Assessment
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 15 -
Risk Identification and Assessment
Risk/Control Workshop 2
Workshop Questions
•
How can you reduce workshop time requirements or maximize productive discussion
time?
•
Who should participate in the risk/control self-assessment workshops?
•
What roles should the facilitator(s) play in the workshop — and what roles should they
not play?
•
What is the best way to capture risk rankings, significant issues, and actions or
commitments?
•
Should there be a formal report on the workshop, and to whom should it go?
•
Other success stories or lessons learned?
www.theiia.org/training
- 16 -
Risk Identification and Assessment
Interdependence and Correlation
Interdependencies
•
Triggers
•
Examples
Correlation
•
Combinations of Impact/Likelihood
•
Examples
Aggregation and Validation
•
Portfolio View Perspective
•
Risk Profiles and Heat Maps
•
Management Dashboards
•
Other
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 17 -
Risk Identification and Assessment
Interdependence and Correlation Validation
Validation approaches and practices include:
•
Risk Management Review
•
Peer Review
•
Internal Audit Review
•
Senior Management and Board Review
•
Other?
www.theiia.org/training
- 18 -
Risk Identification and Assessment
Exercises
Wriskey Business Enterprises (WBE)
Assignment
Wriskey Business Enterprises (WBE) does not exist — any resemblance to an existing or
former enterprise is strictly accidental. WBE has requested your team’s assistance in
completing the initial phase of an enterprise-wide risk assessment. Your teams will have
approximately 30 minutes to review the results of a high-level risk assessment and identify
WBE’s most significant risks and opportunities. Feel free to ask questions!
Instructions
Review the background information on WBE and the four units/processes:
•
Platinum Elite Payment Services
•
Gold Elite Payment Services
•
Marketing
•
Treasury Accounting
You may want to divide the assignment by having each team member focus on one of the four
WBE areas.
After you have reviewed and discussed the background information, keep reading the
information provided for each of the four WBE areas. There will be a summary of information
for each area as well as results of the risk assessment.
Deliverable: The following pages have supporting comments for each of the four units/
processes on this risk profile. Your team’s deliverable is a presentation to WBE’s Board on
their most significant risks and opportunities. Feel free to ask additional questions and confirm
any assumptions.
•
Identify WBE’s top 3 risks. Please identify the issue, risk category, and unit(s).
•
Also identify any significant opportunities that WBE needs to be aware of.
You may use the following optional template to help determine your team results.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 19 -
Risk Identification and Assessment
Platinum Group:
Top Risks:
Gold Group:
Top Risks:
Any Opportunities:
Any Opportunities:
Marketing Group:
Top Risks:
Treasury Group:
Top Risks:
Any Opportunities:
Any Opportunities:
WBE’s Overall Top Three Risks:
1)
2)
3)
www.theiia.org/training
- 20 -
Risk Identification and Assessment
WBE’s Significant Opportunities:
1)
2)
3)
Background
WBE’s founder, I. Barry Wriskey, is currently the Chairman/CEO. WBE provides outsourced
bill payment services to small and mid-sized organizations and wealthy individuals. I. Barry and
several rich and influential friends own WBE. These stakeholders have been involved in a wide
variety of extremely successful ventures, and they have very high expectations for this venture.
WBE’s primary goals are growth and profitability through highly responsive customer service.
In addition to the four units and processes (described on the following pages), there is also a
Human Resource function that handles all personnel activities and payroll processing. They
have a strategic alliance with the Big Bucks Bank (BBB is another completely fictitious
enterprise). They use BBB’s cash management software and use the bank’s deposit account
services. BBB’s CEO, Mick Lesson, is also on WBE’s Board.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 21 -
Risk Identification and Assessment
Reading: Platinum Elite Payment Services
Background – Hannibal Smyth heads WBE’s newest service unit. It was created to process
bill payments for WBE’s largest and most profitable clients. They handle 30% of WBE’s
current clients, process 60% of the transactions (based on dollars, not numbers), and generate
50% of the servicing revenue. They will do whatever it takes to handle special requests and
meet client expectations. Much of WBE’s future growth is linked to the success of this area.
Objectives – Customer service quality, growth, maximize revenue
Activities – This unit receives customer requests and processes payments for all of their
customers. In some cases, they also handle payroll processing, fixed asset purchases, and
prepare cash flow reports. They process transactions for each customer on a daily basis. Many
of the customer requests need to be expedited.
Controls – The staff is very experienced — an assignment to this unit is perceived to be a
promotion (even though pay rates are similar). The unit consists of several work teams. Each
team is responsible for several customers. Staffing levels are adequate — if a team is
overloaded, which seldom happens, Gold Elite employees are temporarily assigned to the unit.
They have written operating procedures. The procedures also have limits (additional approval
by accounting is required on transactions over set dollar limits). All transactions are authorized
by designated customer contacts. These customer contacts also receive daily reports covering
all of the payments that were made on their behalf.
Other factors – The process has a lot of paper — many requests are faxed in and checks are
used for most disbursements. The process is also complicated because the unit will alter their
procedures to handle customer requests — several customers have funded their disbursements
when the payments are released.
Management comments – Management’s primary concern is customer satisfaction, and they
send out customer surveys and track results. Team members are encouraged to do whatever it
takes to meet or exceed customer expectations.
Staff comments – The success of the WBE depends on us — WBE will make more on a few
of our deals than they do in the whole golden elite area. We don’t get the full respect we
deserve. Sometimes we have to exert our authority or take some short cuts to deliver quality
service.
Comments from other areas – Their attitude makes us sick, and they expect the rest of us to
treat them like royalty. (comments from Gold elite and Treasury)
www.theiia.org/training
- 22 -
Risk Identification and Assessment
Impact
•
High – Assets (large customer assets and reputation), Operational (WBE’s largest and
most important customers), Internal/Strategic (WBE’s future growth is linked to this
activity).
•
Low – None. Technology (only moderate reliance), and Regulations/Legal (moderate
based on possible customer contract issues).
Likelihood
•
High – Operational (paper-intensive process, expedited requests, they could be
overstaffed), Internal/Strategic (people/attitudes, coordination, etc.). The á
(directional risk) is related to the obsolete process.
•
Low – None. They appear to have good people, procedures, approvals, etc.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 23 -
Risk Identification and Assessment
Reading: Gold Elite Payment Services
Background – Gold Elite Payment Services is headed by B.A. Barracuss. They handle 70%
of WBE’s current clients, process 40% of the transactions, and generate 50% of the servicing
revenue. Their clients are interested in low cost handling of their bill payments. They are proud
of their productivity measures and efficiency initiatives.
Objectives – Productivity, expense reduction, and customer retention.
Activities – This unit’s primary activity is also processing payments. They have created a
“seamless partnership” with their customers and a financial institution. They use the financial
institution’s cash management services. The unit uses a secure Web site that has had a WebTrust review to receive customer requests and exchange information. They also use electronic
funds transfer for most disbursements. They process customer payments twice a month the
dates are staggered to even-out workflows and help improve customer cash management.
Controls – This unit and partnership relies on system security features (i.e., access restrictions,
employee passwords, monitoring reports, etc.). The unit also has a control team that manages
system security and monitors disbursement transactions. The control unit also handles all
customer complaints.
Management comments – Our reliance on technology is heavy. I can’t imagine what we
would do without it. I am concerned about losing my best people to Platinum – they have it
easy over there.
Other factors – The unit would like to expand their services to handle customer receivables
and deposits. Marketing rejected the idea because WBE has elected to focus on growing the
Platinum customer base. Staff comments – We are the most productive members of this team.
Our automated process helps us push through some huge transaction volumes.
Comments from other areas – There is not a lot of growth potential in this area. We cannot
charge much for their no frills services. (comments from marketing)
www.theiia.org/training
- 24 -
Risk Identification and Assessment
Impact
•
High – Operational (they handle 70% of WBE’s customers), Technology (heavy
reliance on technology), Internal/Strategic (although management is not focusing on
this activity, they do generate 50% of the current revenue).
•
Low – None. Assets (customer assets are relatively moderate), and Regulations/Legal
(moderate contract risk — they have standard services).
Likelihood
•
High – None. Technology (although management is concerned they appear to have
several controls in place), Internal/External (the directional risk arrow is based on: 1)
the possible loss of people to platinum, and 2) the possible opportunity to expand their
market). The á (directional risk) is related to the possible market expansion.
•
Low – Assets and Operational (based on the seamless partnership and controls
described in the case).
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 25 -
Risk Identification and Assessment
Reading: Marketing
Background – Templeton Pack heads Marketing. The Marketing area is responsible for client
acquisition and retention. They are the only unit that receives incentive compensation.
Objectives – Growth and revenue
Activities – Prospecting clients, negotiating fees, contract/service agreement approval.
Controls – WBE has pricing policy guidelines for their standard services. The fees for new
service requests are negotiated. WBE also has a standard contract/service agreement. Mr.
Enterprise and the Board receive a monthly report covering all new customers.
Management comments – I do not know why you want to talk to me. We do not handle
cash or deal with numbers. We just bring in the new customers that WBE needs to grow and
be profitable.
Other factors – The Marketing staff receive a base salary. They also have an attractive
incentive compensation package based on new business and revenue goals. Accounting tracks
the incentive compensation drivers and approves the payments on a quarterly basis.
Comments from other areas – They promise new customers everything and we are expected
to deliver. I do not think they know anything about our payment processes. (comments from
a Platinum supervisor)
www.theiia.org/training
- 26 -
Risk Identification and Assessment
Impact
•
High – Operational (their promises are creating problems), Regulations/Legal (the
standard contract may not cover all of the special services), Internal/Strategic (pricing
may not cover the cost of special services, possible incentive compensation growth
versus quality issues).
•
Low – Technology (limited reliance). Assets (moderate — some possible incentive
compensation losses).
Likelihood
•
High – Operational (marketing objectives/promises appear to be uncontrolled),
Regulations/Legal (possible contract flaws), Internal/ Strategic (the pricing, incentive,
coordination issues appear to be an accident waiting to happen).
•
Low – None.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 27 -
Risk Identification and Assessment
Reading: Treasury/Accounting
Background – Treasury/Accounting is headed by M.D. Murduck. They handle WBE’s cash
management and short-term investment activities. They also bill and collect all servicing
income and act as a control function for the payment service units (i.e., approve transactions,
reconcile accounts, etc.).
Objectives – Accuracy of financial information, return on short-term investments, timely
collection of income.
Activities – Financial reporting, forecasting/budgeting, WBE cash management/
investments, service fee billing/collection, and control activities.
Controls – The staff has a solid understanding of accounting issues and cash management.
They have a high level of control awareness and are serious about their responsibilities (e.g.,
reconciliation activities, disbursement approvals, etc.). They use a job rotation to make sure
that everyone can perform all of the jobs in the area.
Management comments – I am getting pressure from I. Barry Wriskey to be more aggressive
in managing our investments. Our bottom line is getting squeezed because our expenses are
high — he wants us to get into reverse repurchase agreements and derivatives. Other factors
– To date, they have been very risk averse in investment portfolio management.
Staff comments – A few weeks before the end of the quarter, we get a lot of calls from the
marketing staff on their performance targets. It is amazing how much business comes in at the
end of the quarter.
Comments from other areas – Accounting slows us down. They ask a lot of questions about
the financial viability of some of our new customers and services. (comments from marketing)
Accounting is our biggest barrier — they take this review-and-approval business way to
seriously. (comments from Platinum Elite)
www.theiia.org/training
- 28 -
Risk Identification and Assessment
Impact
•
High – Assets (WBE’s cash management and investments).
•
Low – None. Internal/Strategic is moderate - but it also one of several directional risk
areas (treasury/accounting may have more impact on if they become more aggressive
in investment management). All of the á (directional risk) are related to the possible
investment strategy change.
Likelihood
•
High – Internal/Strategic (negative comments from other areas — although they may
not be well founded, they are symptoms of “coordination and teamwork” problems).
•
Low – Assets (investments have been risk averse, but going forward, this could change
dramatically).
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 29 -
Risk Identification and Assessment
Risk and Opportunities
Distinguishing Risks and Opportunities
•
Events: Positive or Negative Impact, or Both
•
Positive: Strategy and Objective Setting
•
Negative: Mitigation and Response
•
Success Stories and Lessons Learned?
www.theiia.org/training
- 30 -
Risk Identification and Assessment
Unit Conclusion
Summary
You have completed the lesson “Risk Identification and Assessment.” Here are some key
points:
•
There are a myriad of internal and external factors that can affect an entity’s strategies
and objectives. These factors are subject to change (e.g., new risks, changes in
likelihood). The potential impact associated with these factors can make or break an
organization. Blind spots range from the obvious to the obscure; and from the
catastrophic to the “who really cares?” To avoid overlooking an event, relevant event
identification is best done without considering likelihood (i.e., prepare for what the
enemy can do, not what you think it will do). We all have time and resource constraints,
and need to know where to draw the line during the risk identification process, as when
the possibility of some event occurring is extremely remote or would have little impact.
•
COSO offers a variety of methodologies and techniques for risk identification and
assessment. Many (but not all) organizations use a form of these methodologies.
•
The ability to validate ratings and identify risks is accomplished in the Wriskey Business
Enterprises (WBE) exercise. The exercise serves to reinforce the ability to identify and
assess risks within an organization.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2010
- 31 -
Risk Identification and Assessment
Participant Expectations, Ideas, and Insights
Record actions you can take in your organization to implement the topics discussed in this unit.
www.theiia.org/training
- 32 -
Risk Responses
Risk Responses
Introduction
Overview
In this topic, we will take a closer look at control activities and the primary types of risk
responses
Objectives
By the end of this unit, you should be able to:
•
Identify the primary types of risk responses.
Resources
Readings and Resources
www.theiia.org/training
-2-
Risk Responses
Risk Responses
Control Activities and Risk Response Factors
Control Activities and Risk Response — Factors
Control Activities
Risk Response
•
Integration with Risk Response
•
Identify
•
Types of Control Activities
•
Evaluate
•
Policies and Procedures
•
Select
•
Controls over IS
•
Portfolio View
•
Entity Specific
Control Activities
•
Integration with Risk Response
•
Types of Control Activities
•
Policies and Procedures
•
Controls over Information Systems
•
Entity Specific
Risk Response
•
Identify
•
Evaluate
•
Select
•
Portfolio View
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-3-
Risk Responses
A Closer Look at Control Activities
Control Activities
•
Preventative v. Detective Controls
•
Policies and Procedures
•
Manual v. Automated Controls
•
General and Application Controls
•
Other
•
Integrated with Risk Response
www.theiia.org/training
-4-
Risk Responses
A Closer Look at Identifying Risk Response
•
Identifying Risk Response
•
Avoid (e.g., exit business, sell unit)
•
Reduce (business decisions to reduce risk impact, likelihood, or both)
•
Share (e.g., insurance, pooling, hedging, outsourcing)
•
Accept (no action taken)
•
Other?
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-5-
Risk Responses
A Closer Look at Evaluation and Selection Considerations
•
Potential Synergies (and Interdependence Repercussions)
•
Costs v. Benefits
•
Risk v. Opportunity Options
•
Portfolio View Perspective
www.theiia.org/training
-6-
Risk Responses
Activity: Risk Response
Activity
Instructions
•
Review the information about the situation on the following pages assigned to your
team. Teams can also “invent” their own situation.
•
Identify the 2–3 most significant risk issues that are inherent in the situation.
•
Develop your recommendations for managing the risks.
•
Deliverable – Be prepared to make a brief presentation to the other teams.
Situation 1 – “We’re no. 1”
A Financial Service enterprise has been hit with the threat of class-action suit. The suit was
triggered by a local television station investigative report and the national media
subsequently picked it up.
The enterprise used customer information to cross-sell services. Some of these services
were provided by other organizations that purchased the information from the Financial
Service enterprise.
The threat of the class-action suit was the first major enforcement on this type of privacy
issue.
Significant Risks
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
Recommended Responses
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-7-
Risk Responses
Situation 2 – “Going Global”
A World Trade Organization agreement has opened up an opportunity for service
enterprises in a huge new market. Conservative estimates indicate that the potential market
is $1 trillion (USD) in sales. Your organization has decided to enter the market.
As part of the agreement, foreign firms can only enter the market as minority partners.
(Initially they can hold 25% of the venture.) The agreement is also somewhat ambiguous
on several points regarding access to market segments.
The economy in the new market is very strong. Their government maintains tight
restrictions on its currency to control capital movements and stabilize the economy.
Significant Risks
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
Recommended Responses
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
www.theiia.org/training
-8-
Risk Responses
Situation 3 – “Major Overhaul”
A Manufacturing enterprise has determined that a major overhaul of Division X is needed.
Although the overall enterprise profits are at record levels, market share and profits are
slumping in Division X.
Division X has a solid performance history, but is experiencing intense competition from
other larger rivals in their market. Their rivals have increased their marketing activities to
promote several new products.
The new management team is reviewing all aspects of the operation. Rumors have surfaced
in the business press that plant closures and major changes in supplier/distribution
channels are imminent.
Studies completed by industry experts show that Division X plants are efficient. This is
partially due to stability in their product line.
Significant Risks
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
Recommended Responses
___________________________________________________________________
___________________________________________________________________
___________________________________________________________________
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-9-
Risk Responses
Unit Conclusion
Summary
You have completed the lesson “Risk Response.” Here is a key point:
•
Management has two options from which to choose as they manage the entity’s
inherent risks. Traditionally, management and internal auditing have focused on
control activities to prevent losses and manage risks. The ERM process also includes
coordinated (v. fragmented) risk responses to help the entity stay within its risk
tolerances and exploit opportunities.
www.theiia.org/training
- 10 -
Risk Responses
Participant Expectations, Ideas, and Insights
Record actions you can take in your organization to implement the topics discussed in this unit.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 11 -
Risk Monitoring
Risk Monitoring
Introduction
Overview
This topic discusses how to monitor risks to determine how effectively they are being
managed.
Objectives
By the end of this unit, you should be able to:
•
Identify techniques and tools used for risk monitoring.
Resources
Readings and Resources
•
Reading: Risk Watch
•
Exhibit: Risk Reporting Tools
www.theiia.org/training
-2-
Risk Monitoring
Risk Monitoring
Information and Monitoring Factors
Information and Communication
Monitoring
Information
Strategic and Integrated Systems
Communication
Ongoing
Separate Evaluations
Reporting Deficiencies
Information and Communication
•
Information
•
Strategic and Integrated Systems
•
Communication
Monitoring
•
Ongoing
•
Separate Evaluations
•
Reporting Deficiencies
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-3-
Risk Monitoring
A Closer Look at Information
Information is needed at all levels: Risks, Decisions, and Objectives
•
Internal and External Sources
•
Qualitative and Quantitative
•
Formal and Informal
High Gain ERM Information Questions:
•
What are the key risk metrics that management uses to run the business? Do they cover
all significant risk categories?
•
What metrics could management use (or are underutilized) to eliminate risk blind
spots?
•
How has management communicated their risk appetites and tolerances to the people
who actually do the work?
Strategic and Integrated Systems
•
Support Strategic Initiatives
•
Fully Integrated Systems
More High Gain ERM Information Questions
How satisfied are the risk owners with the quality of systems information?
•
Is it there when required?
•
Is the information accurate?
•
Is it in the right level of detail?
•
Is it easily accessible by those who need it?
How satisfied is the ERM function with their ability to aggregate critical risk information?
www.theiia.org/training
-4-
Risk Monitoring
Exercise: Metrics
Instructions
•
Select a common activity (e.g., employee retention, investment portfolio management,
technology help lines, data processing operations, or some other activity that you want
to focus on in this exercise).
•
Identify 1–2 point in time risk metrics (e.g., employee turnover) and 2–4 leading
indicators for your activity.
Deliverable:
Recap your results and be prepared to make a brief presentation to the other teams.
Activity:
Point in time metrics
Leading indicators
Sample Risk Metrics
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-5-
Risk Monitoring
Risk Category/Source
Risk Metric
Assets
Past due %, Concentration %, Days sales
outstanding, Fraud
•
Investment/credit risk
•
Counterparty risk
•
Fraud/theft/misuse
•
Intellectual capital
•
Sensitive Information
Operational
Quality metrics, Days of supply, Hang
ups
•
Process/service quality
•
Inefficiency
•
Business interruption
•
Strategic Alliances/Partners
Information/Technology
System down time, Quality metrics
•
Business interruption
•
Information/data quality
•
Obsolescence
Regulatory/Legal
•
Regulations
•
Applicable laws
•
Contract risk
•
Governance
Complaints, Violations trends
www.theiia.org/training
-6-
Risk Monitoring
Risk Category/Source
Risk Metric
Market
Value at risk
•
Interest rate risk
•
Liquidity
•
Foreign exchange
•
Capital adequacy
Internal
ROI, ROC, Productivity standards,
Employee feedback
•
People
•
Resources
•
Pressure to meet goals
•
Coordination/communication
External
ROI, ROC, Market share, Customer
feedback
•
Customers
•
Competition/Media
•
Stakeholders
•
Economy
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-7-
Risk Monitoring
A Closer Look at Communications
Communication is necessary regarding Risks, Expectations, Responsibilities, and
Other Important Matters
•
Internal
•
External
•
Means
ERM Innovative Practices and Lessons Learned?
Examples?
www.theiia.org/training
-8-
Risk Monitoring
High Gain ERM Communication Questions
•
How has top management communicated their risk management philosophy and
expectations to all employees and stakeholders?
•
Did all employees and stakeholders “get the message,” and do they believe the
message?
•
Are open, accessible internal and external communication channels in place, and are
they being used?
ERM Innovative Practices and Lessons Learned?
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-9-
Risk Monitoring
A Closer Look at Monitoring
Ongoing Monitoring Activities
•
Management Reviews (e.g., operating reports)
•
Value at Risk Models
•
Customer/Supplier Complaints
•
Internal Meetings (e.g., training, planning)
•
Periodic Acknowledgements (e.g., code, SOX)
•
Other?
www.theiia.org/training
- 10 -
Risk Monitoring
ERM Monitoring Tools and Techniques
•
Sample Reporting Tools
•
Management Dashboards
•
Other? Please turn to Exhibit: Risk Reporting Tools
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 11 -
Risk Monitoring
Monitoring Evaluations and Deficiencies
Separate Evaluations
•
Frequency and Scope?
•
Evaluator?
•
Process and Documentation?
Reporting Deficiencies
ERM Plans and Experiences?
•
Sources and “Protocols”?
•
What is Reported and “Thresholds”?
•
Who is in the Loop?
•
Escalation Practices? ERM Innovative Practices and Lessons Learned?
www.theiia.org/training
- 12 -
Risk Monitoring
ERM and Governance
Mandatory Guidance
Governance
The combination of processes and structures implemented by the board to inform, direct,
manage, and monitor the activities of the organization toward the achievement of its
objectives.
ERM Opportunities and Challenges?
Discussion Topics
•
How often will the risk management executive meet or interact with senior
management?
•
How often will the risk management executive meet with the board?
•
What information will the senior management and the board get from risk
management?
•
Other?
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 13 -
Risk Monitoring
Reading: Risk Watch
Please turn to the appendix for the reading: Risk Watch.
www.theiia.org/training
- 14 -
Risk Monitoring
Exhibit: Risk Reporting Tools
Sample Reporting Tools1
1. Short term: 0 to 2 years, Intermediate term: 2 to 5 years, Long term: over 5 years
2. Describe the impact(s) of the risk before mitigation measures are applied
3. Criteria are proposed to assist in comparably evaluating the impact and probability of
the risk occurring
4. Identify the measures that can reduce or eliminate the impact(s) identified in (2). Note:
the measures can also eliminate the source or probability of occurrence
5. Identify the financial budget needed to implement the mitigation measures listed in (4)
if they aren’t already included in the current budget
6. Identify the residual impact(s) to which the business unit will still be exposed after
having mitigated the risk
1 Source: “Enterprise Risk Management: Trends and Emerging Practices” by the IIA Research
Foundation and Tillinghast-Towers Perrin
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 15 -
Risk Monitoring
Sample Reporting Tools2
2 Source: “Enterprise Risk Management: Trends and Emerging Practices” by the IIA Research
Foundation and Tillinghast-Towers Perrin
www.theiia.org/training
- 16 -
Risk Monitoring
Unit Conclusion
Summary
You have completed the lesson “Risk Monitoring.” Here is a key point:
•
We have to monitor risks to determine how effectively we are managing those risks.
Information links all of the levels (and ideally the silos) of the organization.
Management uses this information to make decisions and achieve objectives. They can
also use the information for ERM. Management needs information from internal and
external sources, qualitative and quantitative information, and formal and informal
information o make informed decisions.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
- 17 -
Risk Monitoring
Participant Expectations, Ideas, and Insights
Record actions you can take in your organization to implement the topics discussed in this unit.
www.theiia.org/training
- 18 -
Enterprise Risk Management: An Introduction
Sample Reporting Tools
Sample Reporting Tools1
Risk Analysis Form
Mission /
Objectives
of the
Business
Unit
(1):
(2):
(3):
(4):
(5):
(6):
1
Risk
Sources
Rating from 1 to 9
Rating from 1 to 9
Gross Total Risk
Residual Risk
Risk
Horizon
Impact of
Risk
Global
Impact
Probability
of
Occurrence
Description
of
Mitigation
Measures
Cost of
Mitigation
Measures
(1)
(2)
(3)
(3)
(4)
(5)
Global
Impact
Probability
of
Occurrence
Description
of Residual
Risk
(6)
Short term: 0 to 2 years, Intermediate term: 2 to 5 years, Long term: over 5 years
Describe the impact(s) of the risk before mitigation measures are applied
Criteria are proposed to assist in comparably evaluating the impact and probability of the risk occurring
Identify the measures that can reduce or eliminate the impact(s) identified in (2). Note: the measures can also eliminate the source or
probability of occurrence
Identify the financial budget needed to implement the mitigation measures listed in (4) if they aren’t already included in the current budget
Identify the residual impact(s) to which the business unit will still be exposed after having mitigated the risk
Source: “Enterprise Risk Management: Trends and Emerging Practices” by the IIA Research Foundation and Tillinghast-Towers Perrin
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Exhibit 7-1-1
Enterprise Risk Management: An Introduction
Sample Reporting Tools
Sample Reporting Tools2
Previous Month
R/O
Risk
#
Category
RISK
Measure
Impact
on EBIT
Probability
Actual Month
R/O
In FC
ytd
Impl.
Status
Impact
on EBIT
Probability
R/O
In FC
ytd
Impl.
Status
1
2
3
4
5
OPPORT
1
2
3
4
5
Analysis and Comments
2
Source: “Enterprise Risk Management: Trends and Emerging Practices” by the IIA Research Foundation and Tillinghast-Towers Perrin
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Exhibit 7-1-2
Seminar Conclusion
Seminar Conclusion
Introduction
Overview
This unit will help you recall the key concepts and techniques we have discussed. It is also
intended to enable you to plan how to use what you have learned when you return to work.
Objectives
After completing this lesson, you should be able to:
•
Discuss any open items or expectations and identify your plans and next steps.
•
Restate major concepts and skills learned during the seminar.
Resources
Readings and Resources
•
Reading 8-1: Real World ERM
•
Reading 8-2: 12 ERM Implementation Strategies
www.theiia.org/training
-2-
Seminar Conclusion
Putting It All Together
Seminar Objectives Revisited
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-3-
Seminar Conclusion
Plan for Action
Review the topics that were discussed during the program.
Select concepts and techniques that you learned or re-emphasized that will help you
accomplish the challenges you face. Be specific as to how you will use the information you
have learned.
www.theiia.org/training
-4-
Seminar Conclusion
Wrap Up
Thank You for Your Participation!
The Institute of Internal Auditors, Inc., Altamonte Springs, FL © 2008
-5-
Appendix
Enterprise Risk Management (ERM) Benchmarking Survey
Type: Executive Summary Report
Date: November 19, 2008
Total number of invitations: 1,400
Total number of responses collected: 240 (17.1%)
Report analysis is based on Question 1 where participants selected they have either an
informal or formal risk management program (165 responses / 11.8%)
1: Choose the answer that best describes the status of your organization's risk
management efforts:
(Respondents could only choose a single response)
Response
We have an informal risk management program
(process). Please describe the program (process):
We have a formal (i.e., written) risk
management program (process) in place.
We had a risk management program (process),
but abandoned it. Please describe why:
We have a risk management plan and will
implement it in the future. Please identify when:
We have a risk management plan, but will not
implement it. Please describe why:
We would like to implement our risk management
plan but cannot. Please describe why:
Risk management does not exist; the internal audit
department has brought this to management's
attention with suggestions for establishing such a
process.
Risk management does not exist and has not been
discussed with management or the board of
directors.
Chart
Frequency
Count
28.3%
68
40.4%
97
0.4%
1
10.8%
26
0.8%
2
0.4%
1
13.8%
33
5.0%
12
Valid Responses
240
Total Responses
240
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 1
of 46
1.1: Please describe you informal risk management program (process):
Response - (Areas involved in RA Program)
Business Unit (17 responses)
Internal Audit & Senior Management (10 responses)
Senior Management (9 responses)
Strategic Plan (6 responses)
Risk Management Department (4 responses)
1.3: Please tell us why you abandoned your risk management program (process):
Response
Delegated: ERM was discussed and processes were established. New executive management execute
risk management differently with risk management delegated to the division level. The result is risk
measured and tracked at a division or project basis.
1.4: Please tell us when you will be implementing your risk management program
(process):
Response
2009 (18 responses)
2008 (4 responses)
1.5: Please tell us why you will not be implementing your risk management program
(process):
Response - None
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 2
of 46
1.6: Please tell us why you cannot implement your risk management program
(process):
Response
Low priority: We have developed a model, but management hasn't bought in. Now with the market
decline and lay-offs it has been viewed as low priority.
2: What is the role of internal audit in your organization’s risk management efforts?
(Respondents were allowed to choose multiple responses)
Response
Auditors have no risk
management role.
Internal auditors played a
proactive role in assisting with
the initial establishment of a risk
management program (process)
for the organization.
Auditors perform the risk
assessment and corresponding
reports.
Auditors evaluate the risk
management program (process)
as part of their regular audit
work.
Auditors support risk
management efforts as
requested.
Auditors manage and coordinate
the organization’s risk
management efforts.
Chart
Frequency
Count
3.6%
6
45.2%
76
25.0%
42
48.2%
81
59.5%
100
18.5%
31
Valid Responses
168
Total Responses
168
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 3
of 46
2a: Please explain how you handle any independence or objectivity issues regarding
your response in question 2: "Auditors manage and coordinate the organization’s risk
management efforts.
Response
FACILITATE Audit coordinates activities and assists in the facilitation of the risk management process
working in partnership with other corporate areas. (8 Responses):
THIRD PARTY Assists in obtaining 3rd party services, if needed, for ERM risk identification and assessment
reviews. ( 2 response):
3: Does your organization have a risk management philosophy (i.e., the value the
organization seeks from risk management) in place?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
No
32.7%
55
In progress
23.8%
40
Yes
43.5%
73
Valid Responses
168
Total Responses
168
3a: Please describe how your organization communicates or reinforces its risk
management philosophy:
Response
Communication of policies, procedures, risk management plans, code of conduct, risk framework and the
organization's mission statement as it pertains to risk management (17 responses).
Monitoring risks and communicating findings to senior management, the board of directors, or audit committee (11
responses).
Electronic communications to all employees, such as the use of e-mail to distribute policies and procedures, updates
to risk management plans, or posting information on the company's intranet (5 responses).
Completing a risk assessment, risk profile, risk review, or risk matrix, and communicating results to senior
management or risk management team (5 responses)
Mandatory courses and training (4 responses)
Ongoing communication among risk management personnel (4 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 4
of 46
3a: (continued) Please describe how your organization communicates or reinforces its
risk management philosophy:
Response
Distribution of written articles or reports on the organization's risk management efforts or policies (3 responses)
Top-down communication to employees, augmented by a tone at the top that promotes risk management (2
responses)
Use of informal risk assessments and proactively managing risks (2 responses)
3b: Please describe the specific elements that make up the risk management
philosophy:
Response
Identify, document, and evaluate risks (e.g., performing annual reviews to identify risks) (15 responses)
Creation of policies and procedures, risk management charter or framework, as well as risk management plans based
on risk assessment/identification (12 responses)
Assigning accountability/resources at every organizational level (e.g., making all employees accountable for risk
management) (8 responses)
Assigning risks to corporate goals and key processes, including financial processes (8 responses).
Creating ERM framework (6 responses)
Managing/mitigating identified risks (5 responses)
Creating a legal, risk, or compliance group or committee at the board level to review and manage identified risks (5
responses)
Provide reports to senior management on how the organization is managing risks (4 responses)
Establishing a top-down approach regarding risks based on tone at the top (3 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 5
of 46
DRIVERS
4: What prompted your organization to initiate a risk management plan, program, or
process?
(Respondents were allowed to choose multiple responses)
Response
Chart
Frequency
Count
10.7%
18
11.9%
20
15.5%
26
Board mandate
35.1%
59
Chief-level interest
38.1%
64
Other (specified below)
54.2%
91
Valid Responses
168
Total Responses
168
New York Stock Exchange rules
Standard & Poor’s 500
requirement for credit rating
Release of the Committee of
Sponsoring Organizations of the
Treadway Commission’s (COSO’s)
Enterprise Risk Management —
Integrated Framework (ERM
Framework)
4.1: If not listed above, what else prompted your organization to initiate a risk
management plan, program, or process?
Response
Good business practices (6 responses)
Internal audit recommended (7 responses)
Regulatory guidelines (9 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 6
of 46
5: What framework(s) is your organization using to guide its risk management efforts?
(Respondents were allowed to choose multiple responses)
Response
Chart
Frequency
Count
None
26.2%
44
COSO’s ERM Framework
53.0%
89
1.8%
3
3.6%
6
25.0%
42
The U.S. National Institute of
Standards and Technology Risk
Management Framework
Guidance provided by the
International Risk Management
Benchmarking Association
Other (specified below)
Valid Responses
168
Total Responses
168
5.1: If not listed above, what other framework(s) is your organization using to guide its
risk management efforts?
Response - None
Internally developed framework (10 responses)
AS/NZ (Australian) Standard (6 responses)
Papers and articles (IIA) (4 responses)
Third party framework (3 responses)
FMEA (3 responses)
FDIC Safety and Soundness CAMEL components (2 responses)
AICPA (1 response)
Committee of Chief Risk Officers (1 response)
IFI & prevailing practices (1 response)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 7
of 46
5a: Please identify the level of impact the framework(s) identified in Question 5 has
on your organization’s risk management efforts.
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
1 No Impact
1.6%
2
2
439%
5
3
20.3%
25
4
39.0%
48
5
20.3%
25
6 High Impact
13.8%
17
Not Answered
1
Valid Responses
123
Total Responses
124
6: Please rank in order of significance the benefits primarily driving your
organization's risk management efforts. (1 for the least significant benefit and 9 for the
most significant benefit.)
Response
Frequency
Rank
Align risk appetite and strategy
12.2%
13
Link growth, risk, and return
10.6%
5
Enhance risk response decisions
13.1%
7
Minimize operational surprises and losses
14.7%
8
Identify and manage organization wide risks
15.2%
9
Provide an integrated response to multiple tasks
10.1%
4
Seize opportunities
9.3%
3
Rationalize capital
8.5%
2
Other
6.3%
1
Valid Responses
165
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 8
of 46
6a: Please explain "other" benefits that primarily drive your organization's risk
management efforts:
Response
Identifying common risks (22 responses)
Regulatory compliance (10 responses)
Corporate communications (5 responses)
Audit committee understanding (2 responses)
Internal audit participation (2 responses)
Reduce silos effect (2 responses)
7: Were your organization's realized benefits in line with expected benefits?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
57.0%
94
No (explained below):
18.8%
31
Not applicable
24.2%
40
Valid Responses
165
Total Responses
165
7.1: Were your organization's realized benefits in line with expected benefits?
Response
Program is still in progress, to early to say (17 responses)
Non-establishment of acceptable limits or ranges (3 responses)
Business unit ownership problems (1 response)
Risk escalation to cultural carriers (1 response)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 9
of 46
IMPLEMENTATION
8: How long did it take your organization to implement its risk management program
(process)?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Less than one year
13.4%
21
1 year
13.4%
21
2–3 years
52.2%
82
4–5 years
12.1%
19
More than 5 years
8.9%
14
Not Answered
8
Valid Responses
157
Total Responses
165
8
9: Has your organization's risk management program (process) lost momentum since
its inception?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
No
69.6%
110
Yes (specified below)
30.4%
48
Not Answered
7
Valid Responses
158
Total Responses
165
7
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 10
of 46
9.1: Please explain how your organization's risk management program (process) lost
momentum since its inception?
Response
ERM not embraced by management (13 responses)
Lost impact, became routine process (6 responses)
To much time commitment (4 responses)
Financial concerns (3 responses)
Lack of ERM education (2 responses)
10: How was your organization's risk management program (process) implemented?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Not applicable
11.2%
18
Pilot and phased approach
39.8%
64
Full-scale program
31.7%
51
Other (explained below):
17.4%
28
Not Answered
2
Valid Responses
161
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 11
of 46
10.1: If not listed above, how was your organization's risk management program
(process) implemented?
Response
Risk management process is slowly evolving from lower level through executive management (4 responses)
Evolved and split for another corporate department (3 responses)
Risk management committee establishment (3 responses)
Risk management process/procedures are developed on an as needed bases (3 responses)
11: Please rate your satisfaction with your organization's risk management program’s
(process) implementation.
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
1 Highly Dissatisfied
1.9%
3
2
9.9%
16
3
27.3%
44
4
29.8%
48
5
21.7%
35
6 Highly Satisfied
6.2%
10
Not Applicable
3.1%
5
Not Answered
4
Valid Responses
161
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 12
of 46
11a: Please explain your level of satisfaction with your organization's risk management
implementation:
Response
Process is still improving/there's room for improvement (e.g., it is a fairly new program; the program is
not fully integrated yet; it is a step in the right direction; process needs to be formalized; process is not
mature enough) (40 responses)
Overall dissatisfied (e.g., limited use of ERM below senior management level; process is too high-level;
program has the wrong scope; change in direction; discouraged with current momentum) (25 responses)
ERM program is good, adequate, effective, or performing as expected (22 responses)
Not clear yet what the outcome will be (e.g., to early to know what the outcome will be; the benefits are
not clear yet) (11 responses)
Senior management does not get it (8 responses)
12: Has your organization encountered barriers to its risk management program
(process) implementation?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
60.1%
98
No
33.7%
55
Not applicable
6.1%
10
Not Answered
2
Valid Responses
163
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 13
of 46
13: Please rank in order of significance your organization’s primary barriers to risk
management program (process) implementation? (1 for the least significant benefit and 9
for the most significant benefit.)
Response
Frequency
Rank
Organizational culture
13.3%
9
Benefits are unclear
12.3%
8
No sense of urgency
Lack of or unclear risk management program (process) or
philosophy
Lack of clear risk management ownership
11.9%
6
11.3%
4
11.7%
5
Territorial issues among business functions
9.4%
3
Lack of tools for implementation
9.3%
2
Lack of time or resources
12.9%
7
Regulatory compliance priorities
7.7%
1
Valid Responses
165
Total Responses
165
13a: Please list any additional primary barriers to your organization's risk management
program implementation if not listed above:
Response
NO c-level or senior management support; lack of board oversight or support (8 responses)
No barriers to risk management/it is management's responsibility (5 responses)
Lack of ownership/wrong staff-level support (3 responses)
Effort wrongly focused (2 responses)
Learning/training curve (2 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 14
of 46
PROGRAM (PROCESS) STRUCTURE
14: Who is in charge of risk management in your organization?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Internal audit department or CAE
15.2%
25
Chief risk officer, risk
department, or equivalent
32.7%
54
Chief financial officer
13.9%
23
Legal department
3.0%
5
CEO
10.3%
17
Other (specified below)
24.8%
41
Valid Responses
165
Total Responses
165
14.1: Is not listed above, who is in charge of risk management in your organization?
Response
Executive management (5 responses)
Operational areas (5 responses)
Undefined - no single owner (5 responses)
Audit areas (4 responses)
Chief operations officer (4 responses)
Controller (3 response)
Compliance officer (2 responses)
Corporate Secretary (2 responses)
Financial officer (2 response)
General auditor (1 response)
Human Resources (1 response)
Policy and strategic planning (1 response)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 15
of 46
15: How many staff members support your organization’s risk management program
(process)?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
1–3
64.4%
103
4–6
18.8%
30
7–10
3.1%
5
11–15
3.1%
5
More than 15
10.6%
17
Not Answered
5
Valid Responses
160
Total Responses
165
16: Has your organization reached a sustaining risk management maturity level?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
No
70.6%
115
Yes
29.4%
48
Not Answered
2
Valid Responses
163
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 16
of 46
16a: What makes your organization's risk management program (process) sustainable?
(Respondents were allowed to choose multiple responses)
Response
Chart
Risk management efforts are part
of the organization’s
management process and tools.
Senior management
endorses the organization’s
risk management efforts.
Management is part of the risk
management program.
Other (specified below)
Frequency
Count
66.0%
33
84.0%
42
74.0%
37
22.0%
11
Valid Responses
50
Total Responses
50
16a.1: If not listed above, what else makes your organization's risk management
program (process) sustainable?
Response
Audit committee oversight (3 responses)
Simplistic view (2 responses)
Direct involvement of board and committee (1 response)
Budgeted process (1 response)
Regulatory expectations (1 response)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 17
of 46
17: Please rate your satisfaction with your organization’s overall risk management
efforts. (Respondents could only choose a single response)
Response
Chart
Frequency
Count
1 Highly Dissatisfied
4.8%
8
2
10.3%
17
3
24.8%
41
4
32.7%
54
5
20.6%
34
6 Highly Satisfied
6.7%
11
Valid Responses
165
Total Responses
165
18: Please rate your satisfaction with the effectiveness of your organization’s risk
management efforts.
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
1 Highly Dissatisfied
3.0%
5
2
11.5%
19
3
26.7%
44
4
35.2%
58
5
18.2%
30
6 Highly Satisfied
5.5%
9
Valid Responses
165
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 18
of 46
19: How are risk management efforts integrated into your organization?
(Respondents were
allowed to choose multiple responses)
Response
Chart
Frequency
Count
Strategic planning process
64.8%
107
Business planning process
60.6%
100
Capital planning process
42.4%
70
Performance management
process
35.8%
59
Other (specified below)
20.6%
34
Valid Responses
165
Total Responses
165
19.1: How are risk management efforts integrated into your organization?
Response
Executive management (5 responses)
Business process controls (4 responses)
Integrated as needed or required (4 responses)
Project management (3 responses_
Compliance (2 responses)
Risk assessment teams/processes (2 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 19
of 46
RISK MANAGEMENT CULTURE & ENVIRONMENT
20: Which of the following best describes your organization's risk culture (i.e., shared
risk management values and practices)?
(Respondents could only choose a single response)
Response
Chart
Risk management values and practices are
integrated into the organization’s daily
activities.
Risk management values and practices
are evolving.
Risk management values and practices are
haphazard.
Frequency
Count
25.6%
42
55.5%
91
18.9%
31
Not Answered
1
Valid Responses
164
Total Responses
165
21: Please rate the significance of risk culture factors in your organization.
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
1 Highly Significant
0.0%
0
2
4.9%
8
3
14.8%
24
4
30.2%
49
5
31.5%
51
6 Highly Significant
18.5%
30
Not Answered
3
Valid Responses
162
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 20
of 46
22: Please rate the significance of internal environmental factors in your organization.
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
1 Highly Insignificant
0.0%
0
2
4.4%
7
3
17.6%
28
4
42.1%
67
5
27.7%
44
6 Highly Significant
8.2%
13
Not Answered
6
Valid Responses
159
Total Responses
165
COMMUNICATIONS AND REPORTING
23: Which of the following has your organization documented and communicated?
(Respondents were allowed to choose multiple responses)
Response
Frequency
Count
27.9%
46
57.6%
95
66.1%
109
Risk management reporting frequency
47.3%
78
Schedule to review risk management efforts
46.1%
76
Risk management performance measures
24.2%
40
Other (specified below)
10.9%
18
Risk appetite/tolerance (i.e., the amount of risk
the organization is willing to accept in pursuit of
its objectives)
The roles and responsibilities of the board of
directors regarding risk management
Management roles and responsibilities
regarding risk management
Chart
Valid Responses
165
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 21
of 46
23.1: If not listed above, which of the following has your organization documented and
communicated?
Response
Risk management processes (7 responses)
Information communications (1 response)
Initial framework (1 response)
Internal audit review (1 response)
24: Has your organization's board of directors documented and communicated its risk
appetite or tolerance level?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes
20.1%
33
No
61.6%
101
In progress
18.3%
30
Not Answered
1
Valid Responses
164
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 22
of 46
25: Please rate your level of satisfaction with the effectiveness of your organization's
risk management communication channels.
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
1 Highly Dissatisfied
5.5%
9
2
20.0%
33
3
21.2%
35
4
37.6%
62
5
12.7%
21
6 Highly Satisfied
3.0%
5
Valid Responses
165
Total Responses
165
26: Which of the following best describes your organization's risk categories (i.e.,
groups of similar potential risks or events that could impact the organization)?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
We don't use risk categories
23.8%
39
We use 1-3 risk categories.
7.9%
13
We use 4-6 risk categories.
25.0%
41
We use 7-10 risk categories.
21.3%
35
We use 11-20 risk categories.
11.6%
19
We use more than 20 risk categories.
10.4%
17
Not Answered
1
Valid Responses
164
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 23
of 46
27: Aside from likelihood and impact, what other criteria does your organization
consider in assessing risks?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Return on investment
23.7%
28
Customer impact indices
24.6%
29
Other (specified below)
51.7%
61
Not Answered
47
Valid Responses
118
Total Responses
165
27.1: If not listed above, aside from likelihood and impact, what other criteria does
your organization consider in assessing risks?
Response
Control effectiveness environment (7 responses)
Financial impact (5 responses)
Quality, environments and standards (5 responses)
Regulatory compliance (5 responses)
Assessments - external (4 responses)
Business unit risks (2 responses_
Capital risk requirements (2 responses)
Duration - Time (3 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 24
of 46
28: Which methodologies and techniques does your organization primarily use to
assess risk?
(Respondents were allowed to choose multiple responses)
Response
Chart
Frequency
Count
Event inventories
33.3%
55
Escalation triggers
12.1%
20
Leading indicators
30.9%
51
Loss event data
36.4%
60
Process flow analysis
22.4%
37
Benchmarking
28.5%
47
Probabilistic and non-probabilistic
models
21.2%
35
Facilitated workshops
38.2%
63
Interviews
66.1%
109
Guided judgment
60.0%
99
Other (described below)
9.1%
15
Valid Responses
165
Total Responses
165
28.1: If not listed above, what other methodologies and techniques does your
organization primarily use to assess risk?
Response
Executive assessment and discussions (4 responses)
Surveys (3 responses)
Measuring goals and objectives (2 responses)
Manual self-assessment (1 response)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 25
of 46
29: Please rate your satisfaction level in the following areas:
Accuracy of
information
used for risk
management
activities at
your
organization.
Completeness
of information
used for risk
management
activities at
your
organization.
Timeliness of
information
used for risk
management
activities at
your
organization.
Total
Highly
Dissatisfied
1
Total
Mean
5
Highly
Satisfied
6
2
3
4
Count
4
37
37
37
37
10
163
3.877
% by
Row
2.5%
22.7%
22.7%
22.7%
22.7%
6.1%
100.0%
Count
3
22
22
22
22
7
163
% by
Row
1.8%
13.5%
13.5%
13.5%
13.5%
4.3%
100.0%
Count
3
37
37
37
37
8
163
% by
Row
1.8%
22.7%
22.7%
22.7%
22.7%
4.9%
100.0%
Count
10
96
96
96
96
25
489
% by
Row
2.0%
19.6%
19.6%
19.6%
19.6%
5.1%
100.0%
3.601
3.816
N/A
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 26
of 46
30: Please list the source(s) of internal information channels leveraged to identify risks
to the organization:
Response
Data collected from various internal, IT, or external sources (e.g., self risk-assessment, process-level interviews,
surveys, risk management templates, ERM metrics on company's portal, event and loss databases, inventories, risk
catalogues, the Internet, ERM metrics on company's portal, event and loss databases, inventories, risk catalogues,
and KPIs) (45 responses)
Discussions with senior management, board, or audit committee; participation of leaders in risk teams or councils to
provide feedback on risks (43 responses)
Data collected from programs or people (i.e., SMEs, legal counsel, internal audit, process owners, hotline,
competitors, customers, or management) (16 responses)
Creation and distribution of reports (e.g., accident report form, financial and operational reports, internal audit reports,
trend reports, diagnostic reports) (16 responses)
Annual feedback from some or all staff (15 responses)
Information from formal documents/processes (i.e., operating management style, plans, directives, personnel
competencies) (9 responses)
30a: Please list the source(s) of external information channels leveraged to identify
risks to the organization:
Response
Industry publications/information from industry groups or affiliated groups (35 responses)
Benchmarking data from other organizations (20 responses)
External audit reports (15 responses)
Information from external consultants or consultant assessments, other than external auditors (14 responses)
Information from regulatory agencies or government agencies (12 responses)
Economic factors (5 responses)
Internal information collected from external sources (e.g., board feedback, information from seminars or customer
satisfaction surveys ( 5 responses)
Online research/information from vendor Web sites (3 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 27
of 46
31: Ongoing risk management monitoring activities can include periodic reporting (e.g.,
quarterly reports from the organization’s risk owners and/or real-time reports on
changing conditions). Please rate your level of satisfaction with the effectiveness of
your organization's ongoing risk monitoring capabilities.
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
1 Highly Dissatisfied
5.0%
8
2
16.9%
27
3
27.5%
44
4
30.0%
48
5
16.3%
26
6 Highly Satisfied
4.4%
7
Not Answered
5
Valid Responses
160
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 28
of 46
32: To whom are risk management activities reported to within your organization?
(Respondents were allowed to choose multiple responses)
Response
Chart
Frequency
Count
Senior management
87.3%
144
Board of directors
51.5%
85
Audit committee
66.1%
109
Other (identified below)
9.7%
16
Valid Responses
165
Total Responses
165
32.1: If not listed above, whom else are risk management activities reported to within
your organization?
Response
Risk Committee (7 responses)
Finance Committee (1 response)
Governance Committee (1 response)
Internal audit (1 response)
Specific group leaders (1 response)
Steering Committee (1 response)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 29
of 46
33: How frequently are risk management monitoring activity results reported to senior
management at your organization?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Monthly
17.3%
28
Quarterly
34.0%
55
Three times per year
3.7%
6
Semi annually
8.0%
13
Annually
17.3%
28
Not reported
9.3%
15
More frequently than monthly
(specified below)
10.5%
17
Not Answered
3
Valid Responses
162
Total Responses
165
33.1: If not listed above, at what other frequency are risk management monitoring
activity results reported to senior management at your organization?
Response
8-10 times annually
As necessary (6 responses)
Daily (3 responses)
Weekly (2 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 30
of 46
33a: How frequently are risk management monitoring activity results reported to the
board at your organization?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
3.8%
6
32.1%
51
Three times per year
1.9%
3
Semi annually
11.3%
18
Annually
26.4%
42
Not reported
22.0%
35
More frequently than monthly
(specified below)
2.5%
4
Monthly
Quarterly
Not Answered
6
Valid Responses
159
Total Responses
165
33a.1: You specified risk management monitoring activity results are reported to the
board at your organization “More frequently than monthly”, please specify how often:
Response
As required (3 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 31
of 46
33b: How frequently are risk management monitoring activity results reported to the
audit committee at your organization?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
1.8%
3
33.1%
54
Three times per year
5.5%
9
Semi annually
13.5%
22
Annually
23.9%
39
Not reported
19.0%
31
More frequently than monthly
(specified below)
3.1%
5
Monthly
Quarterly
Not Answered
2
Valid Responses
163
Total Responses
165
33b.1: You specified risk management monitoring activity results are reported to the
audit committee at your organization “More frequently than monthly”, please specify
how often:
Response
As necessary (2 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 32
of 46
34: How are reports provided to senior management, the board, or a committee at
your organization?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
62.0%
98
E-mail only
2.5%
4
Hardcopy only
8.2%
13
Hardcopy and e-mail
14.6%
23
Other (specified below)
0.0%
0
In a face-to-face meeting
Not Answered
27
Valid Responses
158
Total Responses
165
34.1: If not listed above, how else are reports provided to senior management, the
board, or a committee at your organization?
Response - None
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 33
of 46
TECHNOLOGY
35: What is the role of technology in your organization’s risk monitoring efforts?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
18.2%
29
2.8%
4
Technology monitors high-level risk areas only.
11.3%
18
Technology is not used to monitor risks.
67.9%
108
Technology monitors all identified risk areas (i.e.,
high, medium, and low risk areas)
Technology monitors high and medium risk areas
only
Not Answered
6
Valid Responses
159
Total Responses
165
36: What technology tools currently support (i.e., capture, analyze, and report) risk
management activities at your organization?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
None
50.0%
79
In-house application(s)
29.1%
46
Off-the-shelf or third-party
application(s) (listed below)
20.9%
33
Not Answered
7
Valid Responses
158
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 34
of 46
36.1: If not listed above, what other technology tools currently support (i.e., capture,
analyze, and report) risk management activities at your organization?
Response
Excel (8 responses)
MSOffice (3 responses)
Methodware (2 response)
ACL (1 response)
Active risk manager (1 response)
Bwise (1 response)
Core processing software (1 response)
RegisterMon (1 response)
Resolver-Ballot captures risks. (1 response)
Sungard's Entegrate software (1 response)
37: Please select your organization's specific IT systems used to aggregate the risk
assessment at your organization.
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Risk profiles
27.8%
35
Risk dashboards
34.9%
44
Other (described below)
37.3%
47
Not Answered
39
Valid Responses
126
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 35
of 46
37.1: If not listed above, what other specific IT systems are used to aggregate the risk
assessment at your organization.
Response
Excel (9 responses)
Microsoft Office products (3 responses)
Survey tool (2 responses)
Lotus notes (1 response)
Risk Matrix (2 response)
37a: Please select your organization's specific IT systems used to validate the risk
assessment at your organization.
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Risk profiles
25.2%
29
Risk dashboards
28.7%
33
Other (described below)
46.1%
53
Not Answered
58
Valid Responses
115
Total Responses
165
37a: Please select your organization's specific IT systems used to validate the risk
assessment at your organization.
Response
Discussions with Management and Board (5 Reponses)
Excel (5 responses)
Internal Audit reports (1 response)
Independent monitoring (1 response)
Lotus notes tool (1 response)
Surveys (1 response)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 36
of 46
37b: Please rate your organization in the following areas of effectiveness, efficiency
and satisfaction:
The
effectiveness
of your
organization’s
risk
management
tools or
applications.
The efficiency
of your
organization’s
risk
management
tools or
applications.
The level of
satisfaction
with your
organization's
risk
management
tools or
applications.
Total
1
Extremely
Low
2
3
4
5
6
Extremely
High
Total
Mean
Count
18
36
37
33
21
4
149
3.1
% by
Row
12.1%
24.2%
24.8%
22.1%
14.1%
2.7%
100.0%
Count
23
42
34
35
9
7
150
% by
Row
15.3%
28.0%
22.7%
23.3%
6.0%
4.7%
100.0%
Count
21
41
37
30
16
5
150
% by
Row
14.0%
27.3%
24.7%
20.0%
10.7%
3.3%
100.0%
Count
62
119
108
98
46
16
449
% by
Row
13.8%
26.5%
24.1%
21.8%
10.2%
3.6%
100.0%
2.9
3.0
N/A
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 37
of 46
PRACTICES
Please take a moment to share any best practices or success stories you have related
to the following components of risk management. In addition, please outline any
obstacles or challenges you faced.
Risk Management Program Implementation
38: Best practices or success stories:
Response
Management ownership/involvement/support of risk management process (e.g., identifying areas of highest risk,
creation of a CRO position, implementation of a risk management committee, monthly steering committee
Use of a pilot and phased approach to ERM program implementation that incorporated employee training (6
responses)
Sharing of information among all senior executives/business partners for best practices (5 responses)
Implementing ERM program through internal audit department/involving internal audit department early in the ERM
process or program implementation (4 responses)
Developed an ERM process/tools that fit the organization's needs (3 responses)
Performing surveys and interviews with key staff and other stakeholders to obtain feedback, as well as use survey
feedback to rank risk areas and develop metrics (3 responses)
Getting all staff involved in the process for buy-in, support, and accountability (2 responses)
Defining and using the same risk management terminology throughout the organization (i.e., speaking the same risk
management language) (2 responses)
38a: Obstacles or challenges:
Response
Lack of support from the organization as a whole or management team (e.g., risk management is viewed as another
compliance process that adds no value to the organization) (24 responses)
Lack of resources to implement the ERM process effectively (e.g., lack of SMEs, consultants, or staff)/informal ERM
process (8 responses)
Integration of risk assessment/risk management efforts into the organization's overall planning process/fragmented
risk management approach (5 responses)
Time constraints to implement program effectively/train staff effectively (4 responses)
Lack of clear ownership/lack of involvement from process owners (4 responses)
Overall lack of understanding of where risks lies or why the program is necessary (3 responses)
Wrong risk management focus or priorities (e.g., spending too much time processing claims or trying to avoid losses)
(3 responses)
The program is too broad in scope/risks are identified at a low level of detail (2 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 38
of 46
Risk Management Reporting
39: Best practices or success stories:
Response
Ease of information reporting (e.g., presenting information/dashboards to the audit committee or board during
quarterly meetings) (8 responses)
Integration of risk information into other organizational reports (e.g., audit reports) (4 responses)
Use of risk management information to set up scorecard or corporate performance measurement criteria (3
responses)
Use of risk management information to set up corporate risk profiles or plans (3 responses)
Keeping board involved (1 response)
39a: Obstacles or challenges:
Response
Lack of reporting resources (e.g., tools, SMEs) and support/buy in from senior management and staff (14 responses)
Reporting is not timely/keeping risk profile current (4 responses)
Informal ERM process makes reporting/documentation difficult (4 responses)
Lack of an integrated ERM reporting system (2 responses)
Reporting difficulties due too many factors to review (e.g., services or pieces of legislation) (2 responses)
Inconsistent ERM standards/high-level ERM process make reporting difficult (2 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 39
of 46
Risk Management Monitoring
40: Best practices or success stories:
Response
Active committee involvement (3 responses)
Implementation of action plans (2 responses)
Monitoring process has resulted in savings (1 response)
More follow up on risk assessment process (1 response)
Process integration into the organization (1 response)
40a: Obstacles or challenges:
Response
Informal ERM process leads to problems establishing correct level of monitoring (5 responses)
Lack of management/organizational support (4 responses)
Lack of inefficient monitoring system/limited to no monitoring (4 responses)
Integration with other monitoring processes (e.g., internal audit monitoring process) (2 responses)
Timeliness/frequency of monitoring (2 responses)
Problems when manually updating or validating data (2 responses)
Wrong monitoring focus (1 response)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 40
of 46
Implementation of Risk Management Tools/Applications
41: Best practices or success stories:
Response
Use of in-house tool that meets organizational needs (3 responses)
Use of common tool/ERM language and focus throughout the organization (3 responses)
Use of resolver ballot to capture risks (2 responses)
Increased level of staff involvement (1 response)
Continuous improvement of ERM process due to regulatory demands (1 response)
Easier ERM action plan implementation (1 response)
41a: Obstacles or challenges:
Response
Tools are too basic/inefficient risk ranking system used (6 responses)
Lack of time/resources (4 responses)
Informal/inconsistent ERM process makes it difficult to decide which tool to use (3 responses)
Multiple tools used throughout the organization (2 responses)
People factors leading to a lack of agreement on which tool to use (2 responses)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 41
of 46
Risk Management Interdependence and Correlation
(i.e., how risk managed in one area impacts risk in another area)
42: Best practices or success stories:
Response
Integration of ERM process into other business areas (8 responses)
Greater senior management involvement (2 responses)
Use of formalized/standard risk mitigation process (2 responses)
ERM process helps to support planning throughout the organization and risk assumptions (2 responses)
More process transparency (1 response)
Ongoing process has helped to raise ERM awareness throughout the organization (1 response)
42a: Obstacles or challenges:
Response
Lack of timely/accurate reporting of risks (4 responses)
Risk correlation assumptions cannot be implemented throughout the entire organization due to the number of
business units/services that must be monitored or the activity's focus (e.g., regular business mode vs. crisis mode) (2
responses)
Lack of management interest (2 responses)
Duplication for ERM data (1 response)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 42
of 46
43: If applicable, please describe any other best practices/success stories or
obstacles/challenges related to your overall risk management program that you would
like to share:
Response
Recommendation: Get the right personnel/support (e.g., getting the right person to manage the risk management
process or creating a risk management team with strong board support) (2 responses)
Recommendation: Create a tailored risk management program that meets the organization's needs (3 responses)
Recommendation: Minimize the use of external consultants if in-house personnel are knowledgeable in risk
management (1 response)
Success story: ERM has enabled the organization to share risk management procedures with others (1 response)
44: Are there any risk management practices or issues you would like to get more
information on (e.g., discussed at an IIA event, publication, research, etc.)?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Yes (specified below)
32.7%
35
No
67.3%
72
Not Answered
58
Valid Responses
107
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 43
of 46
44.1: What are the risk management practices or issues you would like to get more
information on (e.g., discussed at an IIA event, publication, research, etc.)?
Response
Risk levels, examples, impacts, residual, and examples (10 responses)
ERM Definition/Scope/report examples (7 responses)
Benchmarking resources (2 responses)
Approaches to measurements and reporting (1 response)
Best practices (1 response)
COSO applications (1 response)
Cultural Mind Shifting (1 response)
Identification and monitoring methods. (1 response)
Webcast articles (1 response)
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 44
of 46
DEMOGRAPHICS
45: What is your organization's primary industry?
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Aerospace and defense
1.2%
2
Agriculture / forestry / fisheries
0.0%
0
Communication / telecommunication services
1.2%
2
Construction / engineering / architecture
1.2%
2
Consulting services
0.0%
0
Distribution
0.6%
1
Educational services
4.9%
8
Energy / oil and gas
2.5%
4
21.6%
35
Gaming / lotteries
0.6%
1
Health services
4.9%
8
Hospitality / entertainment / restaurant
1.2%
2
Insurance carriers / agents
9.9%
16
Local government
1.2%
2
National / federal government
1.9%
3
Manufacturing
16.7%
27
Mining
0.6%
1
Nonprofit sector
0.6%
1
Pharmaceuticals
0.6%
1
Public accounting / accounting services
0.6%
1
State / provincial government
2.5%
4
Technology
2.5%
4
Transportation
2.5%
4
Utilities
9.9%
16
Wholesale / retail
6.8%
11
Other
3.7%
6
Financial services / banking / real estate
Not Answered
3
Valid Responses
162
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 45
of 46
46: What is the size of your internal audit activity? (Include internal audit, IT audit,
etc.) (Respondents could only choose a single response)
Response
Chart
Frequency
Count
1-2
14.2%
23
3-6
30.2%
49
7 - 15
26.5%
43
16 - 20
7.4%
12
21 - 30
6.2%
10
More than 30
14.8%
24
Not applicable
0.6%
1
Not Answered
3
Valid Responses
162
Total Responses
165
47: Select the annual revenue range that best fits your organization:
(Respondents could only choose a single response)
Response
Chart
Frequency
Count
Less than USD 10 million
2.8%
4
USD 10 million to less than USD 50 million
5.6%
9
USD 50 million to less than USD 100 million
2.5%
4
USD 100 million to less than USD 500 million
16.9%
27
USD 500 million to less than USD 1 billion
15.6%
25
USD 1 billion to less than USD 10 billion
39.4%
63
USD 10 billion or more
17.5%
28
Not Answered
5
Valid Responses
160
Total Responses
165
GAIN – The IIA’s Premier Benchmarking Program
Copyright © 2007 The Institute of Internal Auditors
Page 46
of 46
Enterprise Risk Management: An Introduction
Culture of Assurance
from Internal Auditor
Culture of Assurance
By GEOFFREY ATWATER
An innovative business environment provides a launching pad for the success of America’s
space operations.
MANAGING AMERICA’S SPACE SHUTTLE PROGRAM is a unique and challenging mission.
Meeting the U.S. National Aeronautics and Space Administration’s (NASA’s) rigorous standards and
ensuring the safety of all those involved in the program requires a sound, well-controlled business
environment. At United Space Alliance, LLC (USA), the unusual risks we encounter in performing
space-operations work demand a remarkable amount of attention to detail. For example, just a single
tool lost by a mechanic could find its way into an engine compartment, potentially resulting in
catastrophic consequences. Or, tiny amounts of water accidentally trapped in an orbiter tile by the oil
from a stray fingerprint could freeze under certain conditions, shattering the tile and exposing
astronauts to reentry risk. Experience has demonstrated that seemingly small risks can sometimes
lead to disaster.
USA has developed a set of practices that help to ensure situations like these do not occur. Five
elements combine to form the basis of our approach:
•
•
•
•
•
Our attitude toward safety and quality.
The application of risk principles to everyday decisions.
A pervasive concern for ethical conduct.
A system of business and process controls that ensures the company operates as
management intended.
A risk-based audit approach.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Reading 4-1-1
Enterprise Risk Management: An Introduction
Culture of Assurance
Each of these activities has a robust and effective program for increasing levels of awareness within
their respective areas and is linked at every level of the company to the work that is performed daily.
These practices have evolved to a state that we describe as the “culture of assurance.”
SAFETY
At USA, safety is our No. 1 priority. Our concerns range from industrial issues that affect the working
environment to systems-related factors that affect space operations.
USA has developed several initiatives to promote safe practices and to increase awareness regarding
safety issues. For example, we reward employees for helping improve the safety of the space
program and include an assessment of employees’ personal contributions to safety as a part of their
annual performance evaluations. In addition, we provide mandatory and voluntary safety training and
hold promotional events such as awareness presentations on focused topics by guest speakers. We
also encourage safety awareness away from the job to ensure that our employees will be back for
another day of work. Every staff meeting or formal presentation, for example, begins with a safety
message applicable to work or home.
On an organizational level, we measure contributions to safety improvements as part of USA’s goals
and objectives. Furthermore, we adhere to NASA’s Space Flight Operations Contract (SFOC)
program requirements, which include a rigorous set of guidelines that customers use to evaluate our
performance in the areas of flight safety, crew safety, and asset protection.
USA also upholds its commitment to safety by emphasizing quality in all of its activities. We are
required by NASA to maintain a quality certification from the International Standards Organization
(ISO 9001). We have two ISO audit groups in Florida and another in Texas. The combined efforts of
these groups serve to help promote a high level of awareness of the company’s quality motto:
“Products and services for human space flight — safe, on time, and error free.”
RISK ASSESSMENT
Throughout the history of the human space program, risk assessment has always been a central
activity. In keeping with this tradition, USA has developed a system that captures risk-assessment
activities in a unified process. We culled industrial best practices and formed them into a decisionsupport method that can be applied at all levels of the company. The resulting process is integrated
with management objectives that address “what can go wrong” rather than “how to get there from
here” and ensures that risk is a key consideration in day-to-day planning and decision-making
activities.
KEEPING SCORE. In addition to a process definition, our organization has developed a set of tools
to aid in identifying and mitigating risk. One of these tools, the “SFOC Risk Assessment Scorecard,”
addresses risk concerns related to our “Space Flight Operations Contract” with NASA and has helped
add consistency in applying risk assessment to decision making across the space program. The
scorecard uses our five program goals of safety, mission success, schedule, supportability, and cost
to define the consequences of risk.
IDENTIFYING HOT SPOTS. The hallmark of risk awareness at USA is our recently inaugurated risk
associated trouble spots (RATS) program, which encourages and rewards employees for reporting
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Reading 4-1-2
Enterprise Risk Management: An Introduction
Culture of Assurance
unsafe conditions or close calls related to our five SFOC program goals. RATS enables us to address
risk at all levels of the space program by:
•
•
•
•
•
Engaging every employee in risk identification.
Assigning management the responsibility for managing the program.
Rewarding employees based on impact and contribution.
Establishing one reporting mechanism for all of USA.
Incorporating key features of prior programs and expanding the safety focus to address risks to
all space shuttle program goals.
To help facilitate implementation of the RATS program, we have taken specific measures to ensure
that it is employee friendly. These measures include supplying well-documented and easy-tounderstand employee guidelines on the program, establishing a RATS Web page that reports and
tracks identified RATS to closure and provides summary management information, and providing
built-in, online feedback on employee contributions. Our approach has increased understanding and
awareness of risk concerns, and it has helped to establish risk assessment as an integral component
of our corporate culture.
ETHICS
Integrity and ethics have been critical to USA’s success. These two components underlie the purpose
and effectiveness of all our activities.
USA’s Ethics Office manages a rigorous program to ensure employees are aware of the policies and
practices related to ethics and standards of conduct. All employees, for example, are required to take
an annual ethics refresher course offered in an innovative computer-based training (CBT) format that
addresses emerging trends and uses case studies based on real events. In addition, USA provides
telephone and e-mail hotlines for reporting possible ethics violations and requires employees to
certify once a year that they have disclosed all known or potential violations.
The Ethics Office maintains a database of calls and issues, which provides metrics on existing and
emerging trends that may require management attention or may lead to additional CBT modules. The
office also coordinates the investigative and adjudicative process for resolving possible violations.
This process often requires close cooperation with internal auditing, as the Ethics Office frequently
draws on the results of assurance-related audit work and relies on the expertise of audit staff
members.
BUSINESS AND PROCESS CONTROLS
USA derived its control model from the framework established by the Committee of Sponsoring
Organizations of the Treadway Commission (COSO) in Internal Control — Integrated Framework.
Our adapted model is shared throughout the organization and summarized in a company policy.
We’ve tailored a number of the detailed components of COSO to better suit our culture. For example,
one of the main differences between our model and COSO is that we’ve adopted the phrase
“business and process controls” to replace COSO’s “internal controls,” because it is more meaningful
to USA’s environment. Furthermore, we’ve added a fourth item to the COSO framework’s control
model elements. In addition to the framework’s elements of effective and efficient operations, reliable
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Reading 4-1-3
Enterprise Risk Management: An Introduction
Culture of Assurance
reporting of financial data, and compliance with applicable laws and regulations, our model also
provides for protection and maintenance of company and customer property, including data. The
need for this additional element is primarily driven by the custody of billions of dollars in governmentfurnished property, including the four NASA orbiters.
Our audit group, Company Internal Audit, is responsible for championing the control model and
increasing employees’ awareness regarding their responsibility for the effectiveness of the system of
business and process control. To accomplish this task, our group employs various methods such as a
rotational auditor program and results-sharing among our individual audit teams. In addition, we use
control self-assessment (CSA) during regularly scheduled audits and in response to management
requests for process analysis and directed problem solving. Each CSA session features control
training as an integral part of the procedure. We also use the CSA process as an opportunity to
collect data on the effectiveness of USA’s control model.
INTEGRATED AUDIT PROCESS
Internal auditing at USA represents an assurance activity that binds the other elements of our culture
of assurance together through reviews of the effectiveness and suitability of company processes. We
employ an integrated audit process that is administered centrally by Company Internal Audit, which
incorporates the activities of our other two audit groups — ISO and Information Technology Security.
Our integrated approach enables us to allocate audit resources more effectively when coordinating
projects; to share scope, allowing the two audit groups to work on different aspects of the same
project; and to minimize the administrative burden on our clients of supporting audits.
The cornerstone of the process is an integrated audit plan that incorporates risk evaluations prepared
by the company vice presidents and program managers. The audit managers provide a list of all
possible projects, sorted by higher level company process, as well as risk ranking guidelines. The
executives then score each project in terms of relative risk. The direct input received through this
process provides an opportunity to evaluate risk from the viewpoint of those who are most familiar
with key exposures and allows us to allocate audit resources more efficiently and coordinate
processes among the audit groups.
A secondary initiative stemming from the integrated audit process has involved developing common
methods for the audit groups. Rather than imposing the highest available set of standards across the
entire function without accounting for the individual requirements for each group, however, Company
Internal Audit has been pursuing the use of common methods only where appropriate. We
standardize methods for activities such as audit documentation, risk assessment, and project
reporting. The minimum standards have led to improved coordination of audit efforts among our
various groups and have helped us to ensure consistent application of assurance-related services
with our clients.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Reading 4-1-4
Enterprise Risk Management: An Introduction
Culture of Assurance
A UNIFIED APPROACH
Together, the individual elements that comprise our culture of assurance achieve a synergy that
would not occur if they existed in isolation. The combined effect of our risk assessment, safety, ethics,
controls, and integrated audit activities has been profound. The collective approach has enabled us to
provide assurance across the board. Management trusts that the company is operating as intended,
customers understand that they can rely on our processes, member companies are confident that
their investment is protected, and our employees know that their work is meaningful.
GEOFFREY ATWATER, CIA, CPA, MBA, is an internal audit manager at United Space Alliance in Houston,
Texas; [email protected].
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Reading 4-1-5
Enterprise Risk Management: An Introduction
Categorizing Risk
Categorizing Risk
Internal Auditor – Risk Watch
April 2002
Risk categories help users identify, understand, and monitor
Their organizations’ potential risks.
Today’s fast-paced business environment
bombards organizations with a diverse array of
risk events. Consequently, organizations are
developing a variety of risk management
strategies. In this environment, internal auditors
have an opportunity to contribute to, or even drive,
their clients’ enterprise risk management activities.
However, with this opportunity comes new
challenges. If auditors are expected to identify the
organization’s major risks, they need powerful
diagnostic tools. Most traditional audit risk
assessment models are too narrowly focused to
encompass the full range of business risks. The
diverse nature of these risks also create
measurement problems, because it is often
difficult, or impractical, to quantify their dollar
impact.
To meet these challenges, many internal audit
groups have expanded their “risk watch”
capabilities by using a set of risk categories.
These categories have two main purposes: 1) to
help identify the organization’s risks; and 2) to pull
together risk information in a concise profile that
helps users understand and monitor identified
exposures.
Successful risk categorization can be
compared to an effective medical evaluation. If the
doctor asks: “How do you feel?” the patient might
say, “Fine.” But the examination is much more
revealing if the doctor asks: “How do your knees
feel? How about your lungs? Any back pain?” With
these questions, the patient will begin to think
specifically about his or her body parts.
The trick is for the doctor to develop a useful
set of questions, or categories. For example, if the
doctor asked only about the patient’s upper and
lower body, it wouldn’t help much. Conversely, if
the doctor asked about every bone, joint, and
organ, the patient would quickly get frustrated with
the time-wasting exercise. However, if the doctor
had a reasonable number of meaningful
categories, he or she might identify problem areas
the patient hadn’t realized were problems. More
importantly, the doctor might identify emerging
risks to the patient’s health that the patient would
not have thought of because the symptoms have
been minor up to this point.
Developing Meaningful Categories
It isn’t possible to develop a set of risk
categories that would fit all organizations. Auditors
must partner with the risk owners to develop a set
of categories and related measurement scales
specific to their own organization. The example,
“Sample Risk Categories and Impact Factors ”
(see 2-1-3), represents a composite of what
several organizations have used.
Auditors regularly discuss many of these
categories and factors with managers. However,
some categories — especially strategic risks —
are rarely addressed. One bank auditor, for
example, tells the story of an audit completed with
a satisfactory rating. The findings were all
documentation issues, such as forms not being
completed consistently. There were risks involved
with these issues, but nothing of the magnitude of
the multi-million dollar loss the area experienced
the following year when the economic downturn
forced a sudden, unexpected write-down of asset
values.
The area should have been regularly revaluing
these assets, but it did not occur to anyone to do
so during the good times, and the internal auditors
never thought of including it in their scope. If the
auditors had asked the area manager what risks
the area might face if the economy changed — a
bullet point in the chart of risk categories — they
may have saved the company embarrassment in
the capital markets, at the very least.
Major losses often result from a risk that never
occurred to anyone. Would these risks have
occurred to managers if internal auditors had used
a meaningful set of risk categories to help them
identify risks? In some cases, no. In many cases,
yes.
A set of categories like those shown in the
sample below can be tailored to a variety of
industries or organization preferences. Some
manufacturing firms, for example, would want an
“Environmental” category. Public sector
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Reading 7-1-1
Enterprise Risk Management: An Introduction
organizations may want “Reputation Risk” as a
separate, and important, category. The key is to
have a manageable number of risk categories that
generate meaningful information. Internal auditors
can use categories to facilitate risk identification
during an audit project, while developing the
annual audit plan, or as part of an enterprise risk
management process.
Measuring Impact
Risk is measured in terms of impact and
likelihood. Many traditional risk assessment
practices combine these two measurements. As a
result, a high-impact risk that is believed to have a
low likelihood will appear to be average. Also,
many likelihood ratings are based on the
assumption that because something hasn’t
happened in the past it will never happen. To
avoid these conundrums, many auditors and risk
management practitioners start by measuring the
raw magnitude of the risk in each of the risk
categories.
When the potential impact can be quantified, it
is relatively easy to rate a risk. But the impact in
many risk categories is qualitative, and it is usually
the qualitative risks that don’t occur to anyone until
it is too late.
Questions like the following might help
managers assess some of the less commonly
considered risks within these categories:
ƒ How much do we rely on this intellectual
capital? What would happen if we lost it?
ƒ What could happen legally or to our reputation
if we lost this customer information, let others
access it, or sold it to them?
ƒ How important are these internal or external
customers to accomplishing our objectives —
for example, mission critical vs.
administration/support?
ƒ How important is this information or
technology? Mission critical? Unimportant?
Somewhere in between?
ƒ How do the objectives of this department or
process link to those of the organization as a
whole? To related departments?
Measuring Likelihood
Although impact measures are generally
static, likelihood measures can take organizations
on a roller-coaster ride. Staying on the track
depends on anticipating and responding to risks
as their likelihood changes.
Some factors to consider in measuring
likelihood include:
Reading
ƒ
Relative strength of the control environment.
For example, excessive
ƒ pressure to meet aggressive goals can
increase the likelihood of the risk event, while
good people and communication can
decrease the likelihood.
ƒ Relative strength of the control process.
ƒ Change in, for example, people, systems,
products; complexity of, for example,
operations or transactions; and location —
dispersed vs. centralized, or international.
The key points in measuring likelihood are
client contact and timely identification and
response when the likelihood changes. Internal
auditors simply must stay in touch with the risk
owners if they are to stay on top of the
organization’s ever-changing risk profile. If internal
auditors can develop automated continuous
monitoring programs, so much the better, but they
cannot replace the informal information sharing
with business partners.
Creating a Risk Profile
Using commonsense ratings of high, medium,
and low, many audit departments create a concise
risk profile that shows the relative risk in the
different areas of the organization (see “Sample
Risk Profile”, see 2-1-4 ). Some add directional
indicators when the risk in an area is increasing or
decreasing.
This type of profile allows for consistency in
risk assessment across the organization. When
managers or auditors assess the risks within an
area, their frame of reference is that area. The risk
profile puts their assessments into the broader
perspective of the organization as a whole. From
this frame of reference, the initial assessments
might be revised upward or downward to create a
more realistic picture.
Perhaps more important, a risk profile distills
the organization’s diverse array of risks into a
concise graphic. This graphic can be a valuable
education and communication tool to use with
senior management and the audit committee.
Avoiding Surprises
The primary goal of risk management is to
avoid nasty surprises. No one can predict the
future, but a good set of risk categories will focus
management attention and audit plans on major
risks that would not be revealed by a traditional
audit risk assessment model.
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Reading 7-1-2
Enterprise Risk Management: An Introduction
Reading
Sample Risk Categories and Impact Factors
Risk Category/Source
Impact Factors
Assets
• Investment/credit risk
• Counter party risk
• Fraud/theft/misuse
• Intellectual capital
• Sensitive information
Operational
• Process/service quality
• Inefficiency
• Business interruption
• Strategic alliances/partners
Information/Technology
• Business interruption
• Information/data quality
• Obsolescence
Regulatory/Legal
• Regulations
• Applicable laws
• Contract risk
• Governance
Market
• Interest rate risk
• Liquidity
• Foreign exchange
• Capital adequacy
Strategic
• Customers/stakeholders
• Competition/media
• Economy
• Pressure to meet goals/resources
• Coordination/communication
•
•
•
Value of asset/information
Reliance on capital or information
Potential legal and reputation issues
•
•
•
•
Strategic/process objective
Customers/partners
Increased expense
Potential reputation and legal issues
•
•
•
Reliance on technology
Strategic/process objectives
Value/use of information
•
•
Fines/penalties
Governance restrictions and lost
opportunities
Litigation costs
Reputation damage
•
•
•
•
•
•
•
Governance restrictions and lost
opportunities
Lost income
Potential legal and reputation issues
Strategic/process objective
Potential links to all other risk
categories
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Reading 7-1-3
Enterprise Risk Management: An Introduction
Reading
Sample Risk Profile
UNIT 1
Area/Ratings
Risk "
UNIT 2
UNIT 3
IMPACT
LIKELIHOOD
IMPACT
LIKELIHOOD
IMPACT
LIKELIHOOD
RED
YLW
YLW
GRN
YLW
YLW
RED
RED
RED
GRN
RED
RED
Information /
Technology
YLW
YLWÇ
RED
YLW
GRN
YLW
Regulations /
Legal
YLW
YLW
YLWÈ
YLW
RED
RED
RED
RED
RED
YLWÇ
RED
RED
Assets
Operational
Strategic
RED
High
YLW
ModerateÇ
GRN
Low
Ç È = Directional risk
The Institute of Internal Auditors, Inc., Altamonte Springs, FL ©2009
Reading 7-1-4
The failed loans and credit
products that have shaken
global financial markets
point to the immediate need
to manage enterprise risks.
Real-world
32
Internal Auditor December 2008
ERM
By Neil Baker
Editor, Internal Auditing
illustration by
doug stern / yacinski design , llc
E
nterprise risk management (ERM) sounds
like an excellent idea. Embed risk in every
business decision, connect the strategy-setting
process to the control framework, and thread it
throughout the organization — top down and bottom up.
Do that, and the board has a dashboard view of all the major
threats to the business. Wheat is separated from chaff. The
organization enjoys the benefits of a seamless process that
33
December 2008 Internal Auditor
identifies, prioritizes, and effectively manages all of its risks. The problem is, it doesn’t always
work. Launched with all the fanfare of an emperor slipping into his new clothes, ERM initiatives
too often sink into a toxic sludge of jargon, wishful thinking, and executive ambivalence.
Look at the crisis in the global banking industry. The sector once claimed leadership in ERM,
but now some of its leading players have been nationalized or forced into shotgun mergers. The
Financial Stability Forum, a group of central bankers, published a report on the causes of the credit
crunch in April. It castigated the financial industry for its lamentable standards of risk management.
Another damning report followed shortly afterward from the Institute of International Finance,
a Washington, D.C.-based global association of financial institutions. The
crisis “raised questions about the ability
of certain bank boards to oversee senior
managements and to understand and
monitor the business,” it said.
Some banks, it seems, were very good
at talking about ERM, but were less effective at actually doing it. According to a
recent study from the Economist Intelligence Unit, only 18 percent of banks
surveyed worldwide had an ERM strategy
in place that was “well-formulated and
Making it Real
There is no shortage of guidance to
explain what ERM is and how to implement it, though most of this information
is written for risk and control specialists.
To succeed, ERM efforts need to include
people with other priorities. “One thing
that makes it very difficult to implement
ERM is that a lot of parties need to be
involved,” says Ladd Muzzy, Ernst &
Young’s Americas Enterprise Risk Management Leader. “You have to be very
pragmatic and develop an approach that
“A simple, consistent, and wellunderstood risk framework is vital,” says
John Wheeler, founder and principal at
ERM consultancy Wheelhouse Advisors
in Atlanta. That’s especially true where
people are burned out by U.S. SarbanesOxley Act of 2002 compliance or are
overloaded by corporate initiatives that
get in the way of their “real jobs.” The
danger is that ERM initiatives get sidelined, and that’s fatal. As John Giantsidis, compliance manager at AMAG
Pharmaceuticals in Boston says: “The
“One thing that makes it difficult to implement ERM is
that a lot of parties need to be involved. You have to be
very pragmatic and develop an approach that people are
going to be able to understand.” —Ladd Muzzy
34
rolled out across the business.” Facing a
looming regulatory crackdown, financial
firms will have to renew their efforts to
implement ERM, the study says — if they
are still in business.
The financial sector is just an example. ERM is hard to implement in any
business. Too often, these initiatives
run out of steam. Clearly, ERM is a
very appealing idea, but how can it be
made to work in the real world? What
can organizations do to get beyond the
rhetoric and implement ERM in a way
that will be both effective and sustainable? And how can their internal audit
shops help?
Internal Auditor December 2008
people in the business are going to be able
to understand.”
Indeed, a lack of understanding underpins each of the three main reasons why,
according to Muzzy, ERM projects run
into the sand. Failure to communicate
the value of ERM in simple and concrete
terms makes it hard to get managers to
buy into the process. Failure to create
a commonly understood language for
talking about risk in the organization
undermines efforts to develop a single
approach to risk management. And failure to understand the need for visible
top-level support for ERM means that
executive enthusiasm wanes.
greatest issue with ERM implementation
is explaining to people that ERM does not
and cannot operate in isolation.”
So how can an organization implement ERM in a way that people will
understand? Here’s one tip: drop the
acronym. Paul Sobel is vice president
of internal audit at energy company
Mirant in Atlanta and a recognized
expert on ERM. Yet, his employer does
not use a formal definition of ERM and
has not adopted a formal ERM framework. When Sobel discusses risk in the
company of fellow professionals he,
like all the experts interviewed for this
article, references the Enterprise Risk
real-world erm
Management–Integrated Framework that Embedding ERM — the holy grail of the
The Committee of Sponsoring Orga- process, whereby risk management is part
nizations of the Treadway Commission of everyday work practices — has been
(COSO) published in 2004. This docu- a challenge. “Hardly anybody disagrees
ment gives a detailed definition of ERM with the framework, the theory, and the
and explains some of the ways in which methodology of ERM,” he says, “but the
because the methodology has changed,
it’s because senior people come and go.
If a new chief financial officer arrives, or
an executive moves to a job in the business where his or her role in the ERM
process is different, “it’s almost like you
“What really makes ERM successful is what I call a
‘risk mind-set’ — having everybody in the organization
thinking about risk whenever they have to make a
decision.” —Paul Sobel
it can be implemented. At Mirant, Sobel
uses it behind the scenes, but not more
widely across the organization. “Our
sense was that the COSO framework
looked too bureaucratic,” he says. “As
a company, we are adopting the principles that we think make sense.” That
means talking about risk management,
not ERM.
“What really makes ERM successful is
what I call a ‘risk mind-set’ — having
everybody in the organization thinking
about risk whenever they have to make a
decision,” Sobel explains. “I like to talk
to people about their ability to answer a
few simple questions whenever a decision
is made: What do I want to accomplish,
what could stop me from accomplishing
it, and what should I do to make sure
those things don’t happen or that they
can be managed? That seems to demystify it.”
Granted, he says, ERM is more complicated than that — especially the evaluation of “What could stop me?” and “What
do I need to do about it?” Get managers to
ask themselves these questions and, over
time, they will see the value of the tools
and procedures that come with ERM.
Embedding ERM
Michael Head, managing director of
corporate audit at online brokerage TD
Ameritrade, headquartered in Omaha,
Neb., has worked hard to make ERM
a reality at his organization. The business is in the “mature phase,” he says,
having spent the past three years maintaining and enhancing its processes.
key is ownership. If managers don’t have
to own it on a day-to-day basis, and they
see that as someone else’s job, it doesn’t
come to life or get implemented.”
How do organizations overcome this?
Remember the human element of ERM,
Head says, “This is a process delivered
by people.” In his organization, the
process has been successful at some
times and less so at others. That’s not
have to go back through an awareness
training effort to make sure everybody in
their new positions embraces ERM and
understands their role,” he says. “Without support and understanding from the
top, the likelihood of sustainable and
successful implementation and maintenance is significantly reduced.”
All the ERM manuals stress the need
for top-level support, but supportive
Risk Management and the Credit Crisis
Internal auditors trying to persuade their organizations to take risk management
more seriously could start by reading two insightful reports on the fall-out from
the credit crunch.
Climbing Out of the Credit Crunch, published by international accountancy
body the Association of Chartered Certified Accountants, argues that the principal cause of the current crisis was not subprime mortgage defaults but a failure
of corporate governance at banks. Bad governance encouraged excessive shortterm thinking and a blindness to risk, the report says. Risk management departments in banks must have greater influence and power, the report concludes
(www.accaglobal.com).
Final Report of the IIF Committee on Market Best Practices, from the Institute
of International Finance, sets out a series of principles for reforming the financial sector. It says improving risk management practice is the No. 1 priority. The
report’s first principle states: “A robust and pervasive risk culture throughout
the firm is essential. This risk culture should be embedded in the way the firm
operates and should cover all areas and activities, with particular care not to
limit risk management to specific business areas or to have it operate only as an
audit or control function” (www.iif.com).
In addition to these reports, internal auditors who are thinking about what
role they could play in helping their organization move to ERM should read guidance that IIA–UK and Ireland published on this topic in 2004. The Role of Internal Audit in Enterprise-wide Risk Management provides a practical description
of the “green, amber, and red” activities that internal auditing might perform. It
also suggests safeguards for audit shops that engage in “red-zone” activities in
the short term (www.iia.org.uk).
December 2008 Internal Auditor
35
words are not enough, Head argues. “All
C-suite people are not equal in terms of
power and influence within the company.
For ERM to be effective, whoever is going
to be the executive owner and sponsor of
risk management has to be respected by
the other executives and has to be considered a key senior leader with the chief
executive officer (CEO) and chairman.”
Building on What Works
An important way of gaining support for
ERM is to build on what the organization
does already, Head advises. His company
had committees monitoring areas such
as brokerage risk, health and safety, and
financial disclosures that existed before
ERM was implemented. “We wanted to
implement ERM in a way that aligned
do, ranging from “green zone” activities,
which are comfortable audit territory
(such as process assurance), to “red zone”
activities, which should be the responsibility of management (such as deciding
on risk responses).
Paul Wilhelmij, partner and ERM lead
practitioner in PricewaterhouseCoopers’ London-based governance and risk
“We wanted to implement ERM in a way that aligned
with risk management processes that were already
embedded in the company. We didn’t want to change
how management managed risks.” —Michael Head
36
That’s because the executive sponsor
has to have the influence and authority
to tell key business managers to get their
staff on board, Head says. “If other senior
executives can say, ‘I don’t want my people
worrying about risk management, that’s
your job,’ then it’s not going to work,” he
explains. “It helps to have all the executive
peers in agreement, but when push comes
to shove, the person sponsoring ERM has
to be influential enough to dictate to
people that they will do it.”
When it comes to erm leadership, it’s
not about frameworks or methodologies.
“It’s about power and influence at the
people level, not on paper or in charts,”
Head says. To embed ERM genuinely it
must be included with the other business
objectives that managers are accountable
for. “If the sponsor sits in your office and
says your people aren’t doing it and, as
a result, it’s going to affect your performance review and bonus if you don’t get
in line, that person says ‘I hear you’ and
they do it,” he explains. “It’s the difference between a company that has ERM
books on its shelves and one that gets
ERM embedded and working on a dayto-day basis.” This power is often lacking,
in banks at least, and was one of the four
root causes of the credit crunch, according
to Climbing Out of the Credit Crunch, a
report published in October by the Association of Chartered Certified Accountants (ACCA) (see “Risk Management and
the Credit Crisis” on page 35).
Internal Auditor December 2008
with risk management processes that
were already embedded in the company,”
he explains. “We didn’t want to change
how management managed risks, but to
align existing processes with a top-down
communication of risk appetite.”
Enhance what you’ve got and standardize where you can, he recommends,
especially with regard to risk management language and reporting, but don’t
replace processes or run parallel processes. “Build on what you do well, and
people will feel engaged because they are
contributing to a solution, not changing
something that they know has worked
for years.”
Muzzy agrees. “Organizations see the
word enterprise and feel that they need
to chew off everything at one time,” he
says. They start too fast and run out of
steam. “You need to start slow and leverage what is already in place. I’ve seen this
fail a number of times where companies
try to boil the ocean and create a brand
new approach to risk, while failing to
understand and use what the business has
already invested in and the good things
that it is already doing.”
Auditing’s Role
Internal audit shops can play an important part in getting ERM to work. In 2004,
IIA–UK and Ireland produced The Role
of Internal Audit in Enterprise-wide
Risk Management, which set out some
of the work that an audit function might
compliance business, has his own tips for
internal audit involvement.
n Gather internal or external examples
to help managers understand the
value of ERM — both to the organization and to them personally.
n Highlight the cost of risk management
failures and the potential returns from
managing opportunities successfully.
n Encourage senior management to
set minimum mitigation standards
for key risks and get business leaders
to sign-off against compliance with
these standards, with a statement of
any exceptions and remediation plans.
n Review how key risks identified
through the ERM process are managed and the extent of compliance
with minimum standards.
“When challenging the coverage of key
risks in the top-10 risk register, check that
the big enablers or blockers to achieving
the business strategy are considered,”
Wilhelmij says. “Do not let the seemingly simple risks that are relatively easy
to understand take attention from the
big risks that are not easy to grasp, such
as changes in the regulatory or competitive landscape, product complexity,
and interdependencies.”
In real-world ERM, the audit shop has
to be flexible, Head says. He partnered
with TD Ameritrade’s finance team to
get ERM started. He talked to executive
management about what the audit function’s role should be, facilitated strategic
real-world erm
risk assessment sessions with management to identify key risks, and provided
coaching. But he made it clear that management had to own ERM, establish risk
levels, determine monitoring activities,
and implement the process.
In practice, he did work that helped
to establish ERM, but work he wouldn’t
be comfortable doing once it was implemented. “I’ve got to be in an objective
and independent role,” he says. With
ERM established, he has stepped back into
green zone activities. “Now we are doing
annual audits of the risk management
function and assessing and reporting on it.
We independently evaluate the effectiveness of risk management and give
assurance that the process is in place and
working as intended.”
If the audit shop needs to compromise
its independence and objectivity to get
ERM started, it must be clear about what
it is doing and why, he says. “You have to
have agreement from management that
you are going to back away from that
role, and you need a formal time line that
says when and how that is going to happen. If you don’t set down the parameters
and have an action plan for how you are
going to back away, you may get a job
that you can never give up.”
in risk and control, they have the enthusiasm needed to get ERM started. As Sobel
says, “You really have to believe in this and
have a passion for it, because you will come
across people who are not interested.”
The internal audit shop is also likely to
have the focus needed to keep ERM alive.
ERM is a journey, not a destination, Sobel
says. “Once you say we’ve gotten there,
that’s a danger sign to me. I think it is
healthier to call it a journey because it
keeps you on your guard a little more.”
True, there are things that an organization can and should do that, once
accomplished, would allow it to say it
has a robust ERM program. “But, just as
for any process, this is an ever-changing
world — risks change all the time. No
one is capable of understanding all the
risk scenarios that might be out there,”
he says. “As a result, I don’t think anybody can have ERM fully in place in such
a way that they can, with comfort, say
they are not going to end up like Lehman Brothers.”
Nonetheless, the prevailing attitude
among many politicians and regulators
is that bank boards should have foreseen
and acted on at least some of the risks that
pushed the sector into crisis. Remuneration policy is one example. The ACCA
to stamp out bad practice. “We want to
ensure that firms follow remuneration
policies which are aligned with sound
risk management systems and controls
and with the firm’s stated risk appetite,”
the letter said.
Remuneration risk was not the only root
cause identified by the ACCA that, arguably, bank boards should have recognized
and controlled. Others include the overcomplexity of financial products and a lack
of management understanding of the associated risks, an over-dependence on debt,
the assumption that capital costs would
remain low, and the failure to appreciate
the influence of cultural and motivational
factors, such as rigidity of thinking and
lack of desire to change — what the ACCA
called “an attitude of ‘it is not my problem.’” Again, all of these failings occurred
in a sector that was celebrated for its risk
management expertise.
Perhaps the very public consequences
of risk management failure in the banking sector will encourage boards and
executives in other industries to take
ERM more seriously. If so, the advice
from internal auditors who are making ERM work is clear: Show the value,
keep it simple, and build real support.
The rest of it — the jargon, acronyms,
One reason why internal audit shops might take an
initial lead is that, as experts in risk and control, they
have the enthusiasm needed to get ERM started.
Sobel has been through that same
process. “In the early stages, sometimes
internal auditing has to take the lead to
get the momentum going,” he says. “It
may trip over the line of independence
and objectivity for awhile, but you can get
back on the right side of the line later, as
long as you tell people this is something
that management should own and you are
just doing it to get it off the ground.”
report cites independent surveys that
highlight a growing differential in remuneration packages for CEOs compared
with other board members. Also, over
the past decade, remuneration of senior
staff grew at a faster rate than dividends
paid to shareholders. This encouraged
excessive short-termism and undermined
prudent risk-taking, the ACCA reports.
In the United Kingdom, the Financial
Services Authority has written to banks
A Journey, Not a De stination
to say it is concerned that “inappropriAnother reason why internal audit shops ate” remuneration schemes may have
might take an initial lead is that, as experts contributed to the crisis and that it wants
flowcharts, and models — can be useful
behind the scenes but may get in the
way when it comes to making ERM work
in the real world. “Sometimes you can
do ERM in a stealth-like manner,” Sobel
says. “We don’t call it ERM because that
term can’t get any traction, but that’s
okay. As long as we are implementing
the right kind of steps, I don’t care what
we call it.”
To comment on this article, e-mail the author
at [email protected].
December 2008 Internal Auditor
37
12
ERM
Implementation
Challenges
Arnold Schanfield, CIA, CPA, CFE
Consultant
Dan Helming, CIA, CPA
Leader, Internal Audit and Risk Management
Weiser LLP
Internal auditors can
guide management
and the board through
the issues related to
establishing enterprise
risk management.
O
rganizations implementing enterprise
risk management (ERM) face many challenges.
The process is difficult because ERM is not easily
understood, in part because there are so many different concepts
to assimilate and pitfalls to avoid.
There is a significant need for ERM if organizations are
to improve governance, risk/return, and revenue growth, as
well as realize the myriad other benefits. Standard & Poor’s
(S&P) has reinforced this importance with its recent initiative
to assess nonfinancial firms on their ERM implementation in
December 2008 Internal Auditor
41
its company ratings, beginning in 2009. Other rating agencies
are implementing similar rating processes.
Internal auditors should play an active role in the erm
implementation process because an organization’s failure to
achieve solid ratings could result in increased financing costs.
Therefore, internal auditing should consider providing training to board members on risk and control and what directors
should do to prepare for the S&P review. As part of special
projects in their internal audit plan, auditors also can perform
an independent review for S&P readiness. In their review,
they should evaluate how their organization meets 12 erm
implementation challenges.
n AS/NZ
4360:2004 (Australia/New Zealand).
Standard 31100.
n Criteria of Control (CoCo) (Canada).
n Combined Code on Corporate Governance (UK).
n Federation of European Risk Management Associations (FERMA).
nInternal Control (Hong Kong).
nInstitute of Risk Management (IRM).
n ISO 31000 (International Organization for Standardization).
nKing Report on Corporate Governance (King 1) and
King Report on Corporate Governance in South Africa
(King 2).
nRisk and Insurance Management Society (RIMS) Risk
Defining Risk Terminology
Maturity Model.
The project team should
The AS/NZ 4360:2004 standevelop a risk glossary at
dard is the most-cited of these
the start of the ERM impleframeworks, together with its
mentation process to ensure that
companion application guide,
everyone in the organization is
HB 436, and audit guide, HB 158.
“on the same page” with regard
The Joint Standards Australia/
to definitions. Consistent use of
Standards New Zealand ComIt is important to identify
key concepts will save time and
mittee published the standard
effort. At a minimum, an organiin 1999 and revised it in 2004.
zations needs to agree on definiThis standard’s risk managethe benefits/impacts that
tions for terms such as risk, risk
ment framework is structured
assessment, risk management,
to establish the context of risks,
the organization expects to
ERM, significance, likelihood,
as well as to identify, analyze,
inherent risk, and residual risk.
evaluate, treat, monitor, and
achieve from ERM.
It is important to define what
communicate risk.
risk means for the entire orgaIt is important for the organization at the outset of the
nization implementing ERM to
ERM implementation, as there
understand at least some of the
are several different interpretavast body of knowledge related
tions. Risk management expert
to ERM so that management
Felix Kloman defines risk as “a
can make intelligent decisions
measure of the probable likelihood, consequences (favorable about how best to implement it. Such decisions include
and unfavorable), and timing of a future event or situation selecting an appropriate risk framework and adapting it to
that would affect the company.” Such a definition focuses on the organization. Another best practice is documenting the
both the downside risk and the upside opportunity.
selection process so that it can be defended adequately, if
In implementing ERM, the project team needs to go beyond necessary. Some of the different frameworks have advantages,
the bounds of merely risk assessment. Risk assessment is the such as workbook materials and display slides, that may help
process of identifying various events that create risk and assess- the implementation process.
ing such events. Risk management encompasses risk assessment
By learning more details about the various ERM frameworks,
plus the evaluation of risks against established tolerances, their internal auditors can help management evaluate which are best
treatment (response), and monitoring. ERM includes all of risk suited to the organization’s needs. Once auditors get a handle
management and the additional steps needed to institutionalize on a few of these frameworks, the rest are easy to assimilate.
the entire risk process throughout the organization so that it can
be sustained.
Articul ating ERM Benefits/Impacts
It is important to identify up-front the benefits/
Selecting a Framework
impacts that the organization expects to achieve
The risk management community had used ERM
from implementing ERM. Key benefits/impacts of
methodologies for many years before the 2004 release erm include:
of The Committee of Sponsoring Organizations of
nImproved decision-making, especially in setting corpothe Treadway Commission’s (COSO’s) Enterprise Risk Manrate strategy.
agement–Integrated Framework. Other frameworks developed
nReduced risk exposure in key areas.
and used around the world include:
nImproved corporate governance.
nAssociation of Insurance and Risk Managers (AIRMIC).
nImproved compliance.
n ALARM–The National Forum for Risk Management in
nGreater efficiency of operations and profitability.
the Public Sector (UK).
nMore effective business processes.
n British
1
2
42
Internal Auditor December 2008
3
12 e rm i m ple m e ntation challe ng e s
nEnhanced
capital allocation.
stock price.
The ERM project team, as directed by executive management, should articulate the anticipated benefits/impacts
throughout the organization and create a measurement
process to determine to what extent these objectives will be
achieved. For example, the organization may meet the milestone “improved corporate governance through delivery of risk
assurance” if its audit committee has improved by including
at least one external member and if members have received
formal training in risk and control.
Quantitative techniques typically are used in organizations such as highly sophisticated financial service and
trading/energy firms. Interval and ratio are considered
quantitative techniques, as are probabilistic, nonprobabilistic, and benchmarking techniques. The quantification
exercise is difficult, but auditors must keep in mind that just
because something cannot be quantified in monetary terms
does not mean that the risk does not exist — out of sight is
not out of mind. An excellent example of a risk that cannot be quantified easily — but must be quantified — is governance. Although governance activities may be difficult
to prioritize and rate, failure to perform them may result
identif ying Risk
in crises similar to those that have impacted the financial
Organizations must at least understand the many services industry.
techniques for idenManagement should use
tifying the various
qualitative techniques when
events that create risk to deploy
there is insufficient data availthese methods appropriately.
able to either quantify monetary risks or where it would
These include:
be cost-prohibitive to do so.
nReview of prior internal
Nominal and ordinal measureaudit reports.
Risk assessment
ment methods are considered
n Brainstorming.
qualitative techniques.
nRisk questionnaires.
nReview of financial staterequires prioritizing the
ments, U.S. Securities and
evaluating Risk
Exchange Commission
Risk evaluation occurs
significance, likelihood,
reports, and management
after the risks are
letter comments.
rolled up in the risk
and timing of risk events.
n Business studies.
assessment phase. The exernIndustry benchmarking.
cise evaluates the assessed net
nScenario analysis.
risk by prioritizing all assessed
nRisk assessment workshops.
risks and then comparing each
nIncident investigation.
risk with its established tolernAuditing and inspections.
ance. This evaluation should
n Hazard and operability
produce a comprehensive list
studies.
of risks and tolerances. Organizations must take action on
Several of these methods require interaction with both any risk that exceeds its tolerance.
the internal and external stakeholders. For example, risk
As part of its risk evaluation, an organization needs a strong
questionnaires will include questions on risk areas such as emphasis on defining risk tolerances for all areas. Boards alone
financial, operational, information/ IT , regulatory/com- generally do not do a good job of articulating the risk tolerances in
pliance, economic, competition/strategic, litigation, and their organization.
catastrophic. On the subject of regulatory/compliance
risk, the risk questionnaire might ask questions such as:
treating Risk
What regulations apply to the organization? What reports
Leading management and the board through the
is it required to file? Has it filed such reports timely? Has
exercise of understanding their treatment options
it ever been fined or sanctioned? Has it ever been audited
is complex. It is often challenging to determine an
by an external agency? Are copies of such audit reports appropriate response. The organization may not have the
available? Is it required to file reports of its compliance expertise needed to mitigate highly specialized risks.
with such regulations? And how does it keep apprised of
The board may have to re-examine tolerances if many
emerging regulations?
of the risks identified exceed them. The risk treatment
options are:
A sse ssing Risk
n Accept the risk. Do nothing. Under this option, manRisk assessment requires prioritizing the sigagement decides to “self insure” by taking no further
nificance, likelihood, and timing of risk events.
action and accepting the implications. In such a sceThere are qualitative, semi-quantitative, and
nario, the board needs to revise the risk tolerances to
quantitative techniques available for this exercise. The
accept “doing nothing.”
challenge is to determine an appropriate technique or
n Avoid the risk. Eliminate the activity.
combination of techniques so that the various risks can be
n Outsource, share, or transfer the risk. This option can
rolled up effectively.
involve the use of derivatives, hedging, or insurance on
nIncreased
4
6
7
5
December 2008 Internal Auditor
43
financial risks, as well as using third parties to perform
manufacturing, payroll processing, or other back office
work on operational risks.
n Remedy the risk. Fix the problem.
A team should perform a cost-benefit analysis so that an
appropriate treatment can be selected for each risk. Experts
such as actuaries sometimes may be needed.
8
Monitoring Risk
perspective, specific goal-setting tied to the success of ERM
must be part of an individual’s performance management plan;
without this, the implementation exercise may fail. Likewise,
the business strategy should be defined at the outset of the
exercise along with the organization’s mission and vision. The
ERM process will flow forward from this strategy, and events
will be identified that may impact achievement of the organization’s strategies and objectives.
12
Effective monitoring needs to ensure that the agreedLeveraging the Impact of
upon risk response is actually implemented and workSarbane s-Oxley
ing. It is important to clarify monitoring responsibilities
Companies that have completed their U . S .
among internal auditing, individual business managers, and the
Sarbanes-Oxley Act of 2002 implementations
board. Software based on key performance metrics may be used in the last few years may seek to leverage their compliance
to design an effective continuous
efforts for ERM . However,
monitoring process.
because Sarbanes-Oxley is a
rules-based initiative followCreating a Risking a bottom-up approach, it
is not easily leveraged for ERM.
aware Culture
A risk-aware culture
Sarbanes-Oxley focuses on conis necessary to ensure
trols over transactions, whereas
Internal auditors can help
that the risk process becomes
ERM is a top-down, holistic,
institutionalized within the
principles-based approach
organization. Top-to-bottom
focusing on risks associated
the implementation effort
risk training is recommended.
with events. Sarbanes-Oxley
More advanced risk identificaalso does not specifically address
by learning all they
tion techniques, such as conoperational, strategic, and
trol self-assessment, may be
compliance risks not related to
can about ERM.
adopted eventually. Decisions
financial reporting.
and actions within the organiOrganizations that choose
zation must be viewed within
to combine their ERM and
the context of a team approach.
Sarbanes-Oxley efforts should
Moreover, each team member’s
start with a clean sheet of paper
authority and responsibility for
and identify all of those events
risk must be spelled out.
that create risk, including those
that create financial risk. The assessment of those events from
Deploying technology effectively
the top down may then facilitate the Sarbanes-Oxley effort
The ultimate quality of an erm implementation that was generated from the bottom up.
usually depends on the people and programs
involved rather than the technology. Many risk Hallmarks of ERM Excellence
management packages use a methodology that is not specifi- It is a challenge to identify best practices for implementing
cally based on one of the recognized risk frameworks, or is ERM, because until recently these have not existed. However,
not tailored to the framework the organization has chosen. some ERM best practices are beginning to emerge.
These deficiencies can lead to difficulties.
It is paramount that the board drive the implementation
This does not mean that technology should not play an active exercise. Everyone in the organization must be responsible for
role in an ERM implementation. Technology should be built managing some aspect of risk — there are no exceptions. All
around the methodology and used, at a minimum, in several individuals must be trained in basic risk management skills, a
ways. A risk repository database can be used to capture the risk framework must be adapted to the organization’s needs,
risks. Voting technology can enable stakeholders to voice their and risk tolerances must be set by the board.
opinions anonymously without fear of retribution. CompliInternal auditors can help the implementation effort by
ance software can be used for online compliance monitoring learning all they can about ERM as well as by networking with
and training purposes. Organizations also can use audit data risk professionals. They also need to challenge the external
extraction, risk monitoring, and audit workpaper software in auditors to get appropriate support for this initiative. Finally,
their ERM implementation.
auditors must do more to educate their board about ERM to
ensure the right outcomes.
9
10
44
11
Integrating Strategy and Human
re source s into ERM Succe ssfully
It is important to integrate both strategy and human To comment on this article, e-mail the author at arnold.schanfield@
resources (HR) into the ERM process. From an HR theiia.org.
Internal Auditor December 2008